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With dual Intel® Xeon® 5500 series Quad-Core or Dual-Core processors and up to 144GB of 
DDR3 memory, the iX-Athena is designed for small businesses seeking a high performance 
computing solution. 


iX-Athena 


Notable features 
include: 


¢ Dual 64-Bit Socket 1366 Quad-Core or Dual-Core, Intel® 
Xeon® Processor 5500 Series 

* Eight 3.5” Hot-swap SAS/SATA HDDs in a 4U/Tower 
Configuration (Optional 4U Rackmount Rail Kit Available) 

¢ Dual Intel® 5520 Chipsets with Quick-Path Interconnect 
(QPI) up to 6.4 GT/s 

¢ Up to 144GB DDR3 1333/1066/800MHz ECC Registered 
DIMM/24GB Unbuffered DIMM (18 DIMM Slots) 

* Two (x16) PCI-E 2.0 slots, Four (x8) PCI-E 2.0 slots 
(1 in x 16 slot), and One (x4) PCI-E slot (in x8 slot) 

¢ Intel® 82576 Dual-Port Gigabit Ethernet Controller 

¢ Matrox G200eW Graphics Support 

¢ Integrated IPMI 2.0 with Dedicated LAN 

* Realtek ALC888 7.1 HD audio 

* Two 5,000 RPM Hot-swap Cooling Fans 

¢ Two 5,000 RPM Hot-swap Rear Exhaust Fans 

* 1400W Redundant High Efficiency Power Supply 
(Gold Level 93%+ power efficiency) 
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keeping noise levels to a minimum. 
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Quad-Core or Dual-Core processors boost performance for specific workloads by increasing processor frequency. Next- 
generation Intel® Virtualization Technology enhances performance in virtualized environments by up to 2.1x with new 
hardware-assist capabilities. Up to 144GB of DDR3 memory with eighteen DIMM sockets supports higher performance for 
data-intensive applications and makes it easy for the ix-Athena to handle any workload. 


In terms of energy efficiency, the iX-Athena also leads the pack. The automated low-power states of the Intel® Xeon® 5500 
series processors intelligently save power during low-use periods and increase performance when the system requires it. The 
iX-Athena also features an FCC Class B certified power supply with gold level (93%+) energy efficiency to provide 1400W of 
power and minimize impact on the environment. 


The Super-Quiet operation of the iX-Athena allows users to spend less time distracted by a loud machine, and more time 
focusing on its powerful computing capabilities. At normal operation levels, the ix-Athena workstation’s 5,000 RPM cooling 
and exhaust fans perform at a hushed 38 decibels to make this an ideal machine for any office or lab environment. 


With eight 3.5” hot-swappable SAS/SATA hard drive bays, the iX-Athena also offers ample storage for all conceivable 
technical computing and graphics applications. The iX-Athena even includes four dedicated power connectors for high-end 
graphics cards, all contained in a stylishly sleek, high-end quality, dark gray chassis. 


To order today call: 
1-800-820-BSDi 


For more information about the iX-Athena visit: 
http://www.iXsystems.com/Athena 
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Intel, the Intel logo, and Xeon Inside are trademarks or registered 
trademarks of Intel Corporation in the U.S. and other countries. 


Dear Readers! 


BSD is already becoming international magazine. People 
all over the world have an access to our magazine and 
download it. We are happy that our work is so appreciated 
and BSD magazine popularity is growingl. 


First of all I wanted to thank you for you letters of 
support, they mean really a lot to us and help constantly 
to improve! All our authors worked hard to make their 
articles interesting and useful. I really hope you will like 
this issue as much as the previous. 


This month topic is “BSD as a desktop”. Why this 
topic? 


We thought that some of you still might have doubts 
on choosing OS, so this issue surely will help you to 
learn more about BSD as a desktop and help to make a 
decision. 


But those of you who already use BSD should not 


close the magazine after reading my previous statement, 
because you could loose a lot. =) 


Please feel free to contact us, we are open to critics, 
not only to new ideas and suggestions. 
Your feedback is very important to us. 


Olga Kartseva 
Editor in Chief 
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© GBuil Your Own FreeBSD 

Update Server 

Jason Helfman 
Experienced users or administrators responsible for several 
machines or environments, know the difficult demands and 
challenges of maintaining such an infrastructure. The article 
Outlines the steps involved in creating an internal FreeBSD 
Update Server. 


“14. Using OpenBSD and PF as a Virtual 
Firewall for Windows 
Pedro Lereno 
The Windows firewall, by default, has many open ports 
to the local network, like the file and print sharing service 
ports, which are the source of many security holes. How 
to protect a Windows host with a basic configuration of 
an OpenBSD virtual machine with PF as a NAT router and 
firewall? 


how-to’s 


= OKeeping FreeBSD Applications 
Up-To-Date 
Richard Bejtlich, Principle Technologist and Director of 
Incident Response, General Electric 
An important system administration task, and a principle of 
running a defensible network, is keeping operating systems 
and applications up-to-date. In this article you will find 
multipole ways how to complete this task 


Contents @ 


<1 4} Spam Control 
with a stock OpenBSD 
install 
Girish Venkatachalam 
Ever since e-mails became ubiquitous 
unwanted e-mails or soam also known 
as UCE (Unsolicited Commercial E-mail) 
or UBE (Unsolicited Bulk E-mail) also 
became popular Any chance to control 
this? OpenBSD has an excellent 
method to fight spam and _ this 
article is about it. 


<5 Choosing and 
Installing a Window 
Manager with FreeBSD 
Rob Somerville 

Step by Step installing with comments and advice. One of 

the many attractive features of BSD is that the end-user is not 

tied to a particular desktop or windowing environment. 


interview 
5 <1 BSD Live Desktops 


Jesse Smith 
Last week Zafer Aydogan, founder of Jibbed, and Stefan 
Rinkes, founder of GNOBSD, agreed to talk with Jesse Smith 
about their projects (from which BSD community will surely 
benefit), themselves and BSD. 


let’s talk 


5G BSD goes to the Office: 

Can BSD compete in a real life consulting 

workplace? 

Mike Bybee, Consultant, Fujitsu America 
A reminder on our last issue topic- an article about an 
experiment to determine a viability of BSD desktop in a 
real world high pressure consulting engagement. There 
are many articles that expound on the succes of Linux as 
desktop, and quite a few accounts of using a Linux desktop 
in this case or that case. But this one is written not from a 
perspective of a journalist or home user, but from a system 
administration and consulting perspective. 


www.bsdmag.org 
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Build Your Own 


FreeBSD Update Server 


Jason Helfman 


Experienced users or administrators responsible for several machines, or 
environments, know the difficult demands and challenges of maintaining such an 


infrastructure. 


unning a FreeBSD Update Server makes it easier to 

deploy security and software patches to selected test 

machines before rolling them out to production. It also 

means a number of systems can be updated from 
local network rather than a much slower Internet connection. 
This article outlines the steps involved in creating an internal 
FreeBSD Update Server. 


Prerequisites 
To build an Internal FreeBSD Update Server you will need the 
following. 


A running FreeBSD system. 

A user account with at least 4Gigs of available space. This 
will allow for the creation of at least updates for 71 and 72. 
Beyond this space requirements will need to be considered. 
An ssh(1) account on a remote machine to upload 
distributed updates. See the man page here: _hitp:// 
www.freebsd.org/cgi/man.cgi?query=ssh&sektion=1. 

An Apache, _ htto://wwwfreebsd.org/doc/en_US.|ISO8859-1/ 
books/handbook/network-apache.html, web server, with over 
half of the the space required for the build. For instance, 
my builds total 4G, and the webserver space needed to 
distribute updates is 2.6G. 

Basic knowledge of shell scripting with Bourne shell, sn (1). 
See the man page here: hitp://www.freebsd.org/cgi/man.cgi 
?query=sh&sektion=1. 


Configuration: Installation & Setup 
Download _ freebsd-update-server software’ at __siNhittp:// 
www.freebsd.org/cgi/cvsweb.cgi/projects/freebsd-update- 
server/. A tarball may be downloaded, or use csup(i) and the 
projects-all collection. See the man page here for csup: http:// 
www.freebsd.org/cgi/man.cgi?query=csup&sektion=1. 

Update scripts/build.conf appropriately. It is sourced 
during build operations. 

Here is the default build.conf.default, which should be 
modified (Listing 1). 

Parameters for consideration would be: 


FIP — This is where the subroutine fetchiso() declared 
in scripts/build.subr will contact the configured source for 
downloading the FreeBSD ISO. This can be configured to 
be an http address, as well. For our purposes, ISO’s are 
on the same server as our internal htto server that will be 
serving updates. The software has been configured to look 
in that location. For this setup, we have to alter the routine to 
fetch the ISO. By copying the source build.subr tO scripts/ 
RELEASE/ARCHITECTURE/build.subr this file will be sourced 
instead of the released source for build. subr. 
BUILDHOSTNAME - Host where software will build. 
Coincidentally, this information will be displayed on updated 
systems when issuing: uname -v 

SSHKEY — Key for uploading to update server where clients 
will fetch patches or upgrades. A key pair is created by 


This article describes building an internal FreeBSD Update Server. The freebsd-update-server software, located at http:/www.freebsd.org/cgi/ 


cvsweb.cgi/projects/freebsd-update-server/, is written by Colin Percival cperciva@FreeBSD.org; Security Officer of FreeBSD. If you thought 


it was fun to update your system against an Official Update Server, just wait until you have an updated system from your very own FreeBSD 
Update Server. 
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executing ssh-keygen -t dsa. Altering 
this parameter is not necessary, as 
standard password authentication 
through ssh will suffice if configured 
properly. ssh-keygen(1) has more 
detailed information in creating 
a key pair The man page will have 
more information, and it can be 
found here: htto://www.freebsd.org/ 
cgi/man.cgi?query=ssh-keygen 
&sektion=1. 

MASTERACCT - Account that files are 
uploaded to on remote system. 
MASTERDIR - Directory where files 
are uploaded to on remote system. 


Now that build directives are set, the 
installation files are configured for a build. 
For this example, we will use RELEASE-72 
under amd64 architecture. Configuration 
files for i886 architecture are available 
with downloaded source. 

Create the build environment directory 
under scripts/RELEASE-7.2/amd64. 


% mkdir -p /usr/local/freebsd-update- 


server/scripts/RELEASE-7.2/amd64 


This is the build.cone file that should be 
placed in the directory that was created in 
the previous step (see Listing 2). 


Note 

To generate the End of Life number for 
build.conf, refer to the Estimated EOL 
posted on the FreeBSD Security Website 
at http://www.freebsd.org/security/se- 
curity.html. 

Based on this date, you can issue date 
~j} -£ 'SY%$m%d-SHSM3S' '20090401-000000' 
+%s, and substitute actual date parameters 
for those stated by FreeBSD. 

The SHA256 hash key for the desired 
release, is published within the respective 
release announcement found at_ hitp:// 
www.freebsd.org/releases/. 


Building Update Code 


The first step is to run scripts/make.sh. 
This will build some _ binaries, create 
directories, and generate an RSA signing 
key used for approving builds. In this step, 
a passphrase will have to be supplied for 
the final creation of the signing key (see 
Listing 3). 
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Listing 1. Installation and Setup 1st step 


# SFreeBSD: projects/freebsd-update-server/scripts/build.conf,v 1.1 2006/08/ 


31 07:48:40 cperciva Exp §$ 
# Main configuration file for FreeBSD Update builds. The 


# release-specific configuration data is lower down in 


# the scripts tree. 

# Location from which to fetch releases 

export FTP=ftp://ftp2.freebsd.org/pub/FreeBSD/releases 
# Host platform 

export HOSTPLATFORM='uname -m!' 

# Host name to use inside jails 

export BUILDHOSTNAME=S { HOSTPLATFORM}-builder.daemonology.net 
# Location of SSH key 

export SSHKEY=/root/.ssh/id dsa 

# SSH account into which files are uploaded 
MASTERACCT=builder@wadham.daemonology.net 

# Directory into which files are uploaded 


MASTERDIR=update-master.freebsd.org 


Listing 2. Installation and Setup 2nd step 


# SHA256 hash of RELEASE discl.iso image. 


export RELH=lealf6fe52d7ch5f5eab7ef9f8edbed50cb664b08ed7 61850F95F48e86cc7lef5 


# Components of the world, source, and kernels 


export WORLDPARTS="base catpages dict doc games info manpages proflibs 11b32" 


export SOURCEPARTS="base bin contrib crypto etc games gnu include krb5 
lib libexec release rescue sbin secure share sys tools 
oneal Wiclenuiarmercloliliy 

export KERNELPARTS="generic" 

# EOL date 

export EOL=1275289200 


Listing 3. Building Update Code. Final creation of a signing key 


# sudo sh scripts/make.sh 


GG =02 “= ENGO=SEricCr=-allasinge-pipe findstamps.c =O findstamps 


findstamps.c: In fLuncction, “usage’: 


findsicamps .Cz452 warnang: ancompatible implicit declaration of bua lE-in 


wacom Y es<a.ie » 


COG °=O2 -=E£NO-Stricr=-alilasingc-pupe UnSstano.e —=-O UnSstamp 


imstealkl timestamps. —.)../ ban 
lis tt alles ami: 2.77 Baan 
im =f findstamps unstamp 


Generating RSA private key, 4096 bit long modulus 


SS 465557) (Oooo L) 

Public key fingerprint: 
27Tef53e48dc869eea6c3136091ccb6ab8589F967559824779e855d58a2294de9e 
EneCrypting Signing key for rook 

enter aes-256-cbc encryption password: 


Verifying - enter aes-256-cbc encryption password: 


\ 
\ 
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Note 
Take down the generated KeyPrint this 
value is entered intO /etc/freebsd- 


update.conf for binary updates. At this 
point, we are ready to stage a build. 


# cd /usr/local/freebsd-update-server 


# sh scripts/init.sh amd64 RELEASE-7.2 


What follows is sample of an initial build 
run (see Listing 4). 


Listing 4. Building Update Code. Initial build run 


# sh scripts/init.sh amd64 7.2-RELEASE 


Note 

Then the build of the world is performed 
again, with world patches. A more detailed 
explanation may be found in scripts/ 
build ..subr, 


Note 

And then the build completes.. Approve the 
build if everything looks ok. More information 
on determining if things are ok can be found 
in the distributed source file named USAGE. 


Execute scripts/approve.sh, as directed. This 
will sign the release, and move components 
into a staging area suitable for uploading. It 
is important to make sure that your key is 
mounted during this process. A simple df will 
show if it is mounted. If not mounted, mount 
the key with the passphrase supplied when 
creating it earlier (see Listing 7). 


# cd /usr/local/freebsd-update-server 


# sh scripts/mountkey.sh 
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Aug 
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/usr/local/freebsd-update-server/work/7.2-RELE100% of 
235 
244 
205 
eRe 
736% 
Senki 
232 
2:44 


2009 
Z009 
2009 
Z009 
2009 
Z008 
2009 
Z009 
2009 
Z009 
2009 
ZOOS 
2009 
Z008 


Mon Aug 24 16:04:36 PDT 2009 Starting fetch for FreeBSD/amd64 7.2-RELEASE 


588 MB 359 kBps O0m00s 
Verifying discl hash for FreeBSD/amd64 7.2-RELEASE 
Extracting components for FreeBSD/amd64 7.2-RELEASE 
Constructing worldt+sre image for FreeBSD/amd64 7.2-RELEASE 
Extracting world+sre for FreeBSD/amd64 7.2-RELEASE 
Building world for FreeBSD/amd64 7.2-RELEASE 

Distributing world for FreeBSD/amd64 7.2-RELEASE 
Building and distributing kernels for FreeBSD/amd64 7.2-RELEASE 
Constructing world components for FreeBSD/amd64 7.2-RELEASE 
Distributing source for FreeBSD/amd64 7.2-RELEASE 

Moving components into staging area for FreeBSD/amd64 7.2-RELEASE 
Identifying extra documentation for FreeBSD/amd64 7.2-RELEASE 
Extracting extra docs for FreeBSD/amd64 7.2-RELEASE 

Indexing release for FreeBSD/amd64 7.2-RELEASE 


Indexing worldO for FreeBSD/amd64 7.2-RELEASE 


Files built but not released: 


Files released but not built: 
Files 
Files 
kernel | generic|/GENERIC/hptrr.ko 
kernel | generic| /GENERIC/kernel 
src|sys|/sys/conf/newvers.sh 
world|base|/boot/loader 
world|base|/boot/pxeboot 


worlad|base |\/ere/mail) freebsd cr 


world|base | /ete/mail/ sendmail ct 


world|base|/etc/mail/submit.cf 
worid|base|/lib/iliberypto. so.5 
world|base|/usr/bin/ntpg 

world|base|/usr/lib/libalias.a 


world|base|/usr/lib/libalias dummy.a 


world|base|/Usr/lib/libalias ftp.a 


world|base|/ete/mail/ freebsd. submit .cr 


world|base|/usr/lib/libalias cuseeme.a 


which differ by more than contents: 


Wiaskela Glairireie Insirwecia release aiacl lowaliiel: 
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After completing the approval process, 
you may proceed with the upload. 


# cd /usr/local/freebsd-update-server 


# sh scripts/upload.sh amd64 RELEASE-7.2 


The uploaded files will need to be in 
the DocumentRoot of the webserver in 
order for updates to be distributed. For 
further explanation, please refer to the 
Configuration section of the Apache 
documentation. 


Note 
Updates forthe current release of the FreeBSD 
system you are updating, and what you want 


Build Your Own FreeBSD Update Server 


to upgrade to need to be built in order for 
FreeBSD Update Server to work properly. This 
is necessary for merging of files between 
releases. For example, if you are updating 
a system from FreeBSD 71 to FreeBSD 72, 
you will need to have update code built for 
FreeBSD 71-RELEASE and FreeBSD /72- 
RELEASE. Update clients KeyPrint and Server 
Name_ in /etc/freebsd-update.conf, and 
perform updates as instructed in the FreeBSD 
Update instructions in the handbook 
The instructions can be found at hittp:// 
wwwfreebsd.org/doc/en/books/handbook/ 
updating-freebsd-update.html. 

For reference, here is the entire run of 


init.sh. 


Building a Patch 

In the event a security advisory is posted to 
theFreeBSD SecurityAdvisories page, http:// 
www.freebsd.org/security/advisories.html, 
a patch update can be built. For this 
example, | will be using 71-RELEASE. 
A couple of assumptions are made for 
a different release build: 


Setup the correct directory structure 
for the initial build. 
Perform an initial build for 71-RELEASE. 


Create patch directory under /usr/local/ 
freebsd-update-server/patches/ for the 
respective release. 


Listing 5. Building Update Code 
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Aug PDT 


Sep ie 
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Sep Wie 


Sep PD 


1 Aug PDT 


1 Aug 24 PDT 


» Alig 24 PDT 


1 Aug 24 PDT 


1 Alig 24 PDT 


Aug 24 PDT 


Aug 24 PDT 


Bug 24 12 PDT 


Piles found which include build stamps: 


kernel |generic|/GENERIC/hptrr.ko 
kernel | generic|/GENERIC/kernel 
world|base|/boot/loader 
world|base|/boot/pxeboot 
world|base|/etc/mail/freebsd.cf 
world|base|/etc/mail/freebsd.submit.cf 


world |base|/ete/mail/ sendmail cr 


world|base|/etc/mail/submit.cf 
world!|base)||/ Iilb/ liberypto.so:. 5 
world|base|/usr/bin/ntpg 
world|base|/usr/include/osreldate.h 
world|base|/usr/lib/libalias.a 
world|base|/usr/lib/libalias cuseeme.a 
world|base|/usr/lib/libalias dummy.a 


world |base|)/usr/liby/libalias ftp.e 


Extracting world+sre for FreeBSD/amd64 7.2-RELEASE 
Building world for FreeBSD/amd64 7.2-RELEASE 
Distributing world for FreeBSD/amd64 7.2-RELEASE 
Building and distributing kernels for FreeBSD/amd64 7.2-RELEASE 
Constructing world components for FreeBSD/amd64 7.2-RELEASE 
Distributing source for FreeBSD/amd64 7.2-RELEASE 
Moving components into staging area for FreeBSD/amd64 7.2-RELEASE 
Extracting extra docs for FreeBSD/amd64 7.2-RELEASE 

Indexing worldl for FreeBSD/amd64 7.2-RELEASE 
Locating build stamps for FreeBSD/amd64 7.2-RELEASE 


Cleaning staging area for FreeBSD/amd64 7.2-RELEASE 

Preparing to copy files into staging area for FreeBSD/amd64 7.2-RELEASE 
Copying data files into staging area for FreeBSD/amd64 7.2-RELEASE 
Copying metadata files into staging area for FreeBSD/amd64 7.2-RELEASE 


Constructing metadata index and tag for FreeBSD/amd64 7.2-RELEASE 
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% mkdir -p /usr/local/freebsd-update- 
server/patches/RELEASE-7.1/ 


As an example, take the patch for named(8) 
found at __ http://wwwfreebsd.org/cgi/ 
man.cgi?query=named&sektion=8. Read 
the advisory, and grab the necessary file 


from FreeBSD Security Advisories at http:// 
www.freebsd.org/security/advisories.html. 
lf you have trouble interpretting the 
advisory, please read this page for more 
information: —http://www.freebsd.org/doc/ 
en_US.ISGO8859-1/books/handbook/ 
secunity-advisories.html. 


From the security brief found here 
http://security.freebsd.org/advisories/ 
FreeBSD-A-09:12.bind.asc, we can see it is 
called SA-09:12.bind. 

After downloading the file, it is required 
to rename the file to an appropriate patch 
level. It is suggested to keep this inline with 


official FreeBSD patch levels, however, this 
is just a Suggestion. 

For this build, let us follow the brief and 
call this p 7 Rename the file: 


Listing 6. Building Update Code 


Values of build stamps, 
wile? 
ay iis 2 


excluding library archive headers: 
(Aug 25-2009 00; 40336) 

(Aug 25 2009 1007338 322) % 
tue Aug 25° 00°36 2.29 UlrC 2009 
fue Aug 25 O02 38529 UlC 2009 


cd /usr/local/freebsd-update-server/ 
@(#) FreeBSD 7.2-RELEASE #0: patches/RELEASE-7.1/; mv bind.patch 7- 
FreeBSD 7.2-RELEASE #0: SA-09712.bind 
root@server.myhost.com: /usr/obj/usr/src/sys/GENERIC 
Note 

When running a patch level build, it is 


assumed that previous patches are in 


7 .2-RELEASE 
Mon Aug, 24° 234551252 UIC 2009 
Mon’ Aug 24-23 753025. ULC. 2009 


##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 place. 

##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 When a patch build is run, it will 
##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 run all patches contained in the patch 
##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 directory. Beyond this, you will have to take 
Mon Aug 24 23:46:47 UTC 2009 appropriate measures to verify authenticity 
ntpg 4.2.4p5-a Mon Aug 24 23:55:53 UTC 2009 (1) of the patch. 

* Copyright (c) 1992-2009 The FreeBSD Project. You can also add your own patches 
Mon Aug 24 23:46:47 UTC 2009 to any build. Use the number zero, or any 
Mon Aug 24 23:55:40 UTC 2009 other number. 

Aug 25 2009 At this point, a diff is ready to be 
ntpd 4.2.4p5-a Mon Aug 24 23:55:52 UTC 2009 (1) built. The software checks first to see if 
nepdate 4.2 .405-a Mom Aug 24 23:55:53 UIC 2009 (1) Q scripts/init.sh has been run on the 
ntpde 4.2.4p5-a Mon Aug 24 23:55:53 UTC 2009 (1) respective release prior to running the 
Tue Aug 25 00:21:21 UTC 2009 diff build. 

Tie Aug 25 00-21-15 ure 2005 

fue Aug 25 00221421 ULE 2009 # cd /usr/local/freebsd-update-server 
Mon Aug 24 23:46:47 UTC 2009 # sh scripts/diff.sh amd64 RELEASE- 
FreeBSD/amd64 7.2-RELEASE initialization build complete. Please tak 7 


review the list of build stamps printed above to confirm that 
What follows is the results of a diff build 
run (see Listing 8). 


they look sensible, then run 
# sh -e approve.sh amd64 7.2-RELEASE 
to sign the release. 
Note 
Updates are printed, and approval is 
requested. 
Follow the same _ processas noted 
before approving a build ( Listing 10). 
After approving the build, upload the 
software. 


Listing 7. Mounting the key with the passphrase supplied 


# sh -e scripts/approve.sh amd64 7.2-RELEASE 
Wed Aug 26 12:50:06 PDT 2009 Signing build for FreeBSD/amd64 7.2-RELEASE 


Wed Aug 26 12<50:06 PDT 2009 Copying tiles to patch source directories for 
FreeBSD/amd64 7.2-RELEASE 

Wed Aug 26 12:50:06 PDT 2009 Copying files to upload staging area for 
FreeBSD/amd64 7.2-RELEASE # cd /usr/local/freebsd-update-server 
Wed Aug 26 12:50:07 PDT 2009 Updating databases for FreeBSD/amd64 7.2- # sh scripts/upload.sh amd64 RELEASE- 
RELEASE cae! 

Wed Aug 26 12:50:07 PDT 2009 Cleaning staging area for FreeBSD/amd64 7.2- 
RELEASE For reference, here is the entire run of 


ditt seh 
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Listing 8. Results of a diff buildrun 


# sh -e scripts/diff.sh amd64 7.1-RELEASE 7 

Wed Aug 26 10:09:59 PDT 2009 Extracting world-tsrco for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug Zo 1/210225 UlC 2009 Bualkding worla for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 1320S: 1h Ure 2009 Distrabucing world “£or 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 13706116 UIC 2009 Building and aistriburing 
kernels for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 sel 7:50 Ure 2009 Constructing world 
components for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 16t18:02 UrC 2009 Distrubuting source fer 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 2o Ll:19223 Por 20090 Moving components into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 11:19:33) PDE 2009 Extracting extra docs for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 11:19:42 PDT 2009 Indexing world0 for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug Zo Lit23202 PD 2009 Extracting worldtsre for 
FreeBSD/amd64 7.1-RELEASE-p7 

Bau sep 30 be:23329 UIC 2010 Bua loinc, worla fox 
FreeBSD/amd64 7.1-RELEASE-p7 

Bau sep 30 19218215 Ule 2010 Distrvbucing world For 
FreeBSD/amd64 7.1-RELEASE-p7 

Bauesep 20 19.192 le Ure 2010 Bua ldune ard ois trpie ming 
kernels for FreeBSD/amd64 7.1-RELEASE-p7 

Baw Sep. 30 19230752 UIC Zo -Consiruckmg world 
components for FreeBSD/amd64 7.1-RELEASE-p7 

Bia Sep 20 19:31203 Ure 2010 Distributing source £or 
FreeBSD/amd64 7.1-RELEASE-p7 

Thu sep 30 12232:25 PD) 2010 Moving components into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed “Aug 26 22:52:39 PDP 2009 Extracting exLra docs for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:32:43 PDI 2009 Indexing worldl for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed. Aug 20 12:35:54 PDD 20090 Locating build stamps for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:36:58 PDT 2009 Reverting changes due to 
build stamps for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:37:14 PD? 2009 Cleaning staging area for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:37:14 PDT 2009 Preparing to copy files 
into staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 2o IZ2:37/215 POY 2009 Copying data files into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:43:23 PD 2009 Copying metadata files into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:43:25 PDT 2009 Constructing metadata 
index and tag for FreeBSD/amd64 7.1-RELEASE-p7 


Files found which include build stamps: 


kernel |generic|/GENERIC/hptrr.ko 
kernel |generic|/GENERIC/kernel 
world|base|/boot/loader 
world|base|/boot/pxeboot 
world|base|/etc/mail/freebsd.cft 
world|base|/etc/mail/freebsd.submit.cf 
world|base|/etc/mail/sendmail.cf 
world|base|/etc/maill/submit.cft 
world|base|/lib/iliberypto.sa, 5 
world|base|/usr/bin/ntpg 

world lbase||/ usr inclide/osreldate hi 
world|base|/ustr/lib/libalias.a 
world|base|/usr/lib/libalias cuseeme.a 
world|base|/usr/lib/libalias dummy.a 


world |bace|/usr/ lib/libalias ftp.e 


Values of build stamps, excluding library archive headers: 
Vile2 (Aug 26 2009 13213246) 

Vle2 (“Aug 26 2009 Tsesi1:44) 

Q(#) FreeBSD 7.1-RELEASE-p7 #0: Wed Aug 26 18:11:50 UTC 
2009 

FreeBSD 7.1-RELEASE-p/ #0: Wed Aug 26 18:11:50 UTC 2009 

root@server.myhost.com:/usr/obj/usr/src/sys/GENERIC 

7. 1-RELEASE-p7 

Wed Aug 2611 joo Is UT 2ZOO9 

Wed Aug 26 °17:29: 15 Ure 2009 

##### built by root@server.myhost.com on Wed Aug 26 17: 
49258 UTC 2009 

##### built by root@server.myhost.com on Wed Aug 26 17: 
40258 UTC 2009 

##### built by root@server.myhost.com on Wed Aug 26 17: 
49:58 UTC 2009 

##### built by root@server.myhost.com on Wed Aug 26 17: 
40256. UTC 2009 

Wed Aug: 26-1): 20739 ULC 2009 

MEepg 42.2 .4p5-a Wed Aug 26 1/:29942 Ure 2009 (1) 

~ Copyrughe, (e) 1992-2009 The PreeBsSD Project. 
Wed Aug 26 17:20:39 Ure 2009 
Wed Aug? 261 fr Zo s0 UL 2009 
Aug 26 2009 

Ntepa 4.2 .4e5—-a Wed Aug 26 17/:29°41 Ure 2009 (1) 
nipdate 4.2.4p5—a Wed Aug 26 1L/229:242 UTC 2009 (1) 
mepde 4.7 2405-4. Wed Aug 2651/7291 42 Ure ZU0g. (i) 
Wed Aug 261/755 702 UNC 2009 
Wed Aug 26 "l/r 53202 UIC 2009 
Wed Aug 26 17755702 Ure 2009 


Wed Aug 26.1 )/:207 59 ULE 2009 
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Listing 9. Building a patch 


New updates: 

kernel |generic| /GENERIC/kernel.symbols|f|0|0|0555|0|7c8dc176763£96ced0a57£fc04e7c1lb8d793£27e006dd13e0b499e1474ac47el0 | 
kernel |generic|/GENERIC/kernel|£|0|0|0555|0|33197e8cf15bbbac263d17£39c153c9d489348c2c534f7call120al1183dec67bl | 

kernel |generic|/|d|0|0|0755|0| | 

src |base|/ |d/0)|0| 0755 0] | 

sre (pam polo )O 075s 0. |4 

sre cad |)/ dO) C0755: (6) | 

src|contrib|/contrib/bind9/bin/named/update.c|£|]0|]10000|0644/0| 4d434abf0983df9bc47435670d307fa882ef 4b348ed8ca90928d25 
Of42ea0757 | 

Sve | contrib||/contrio/bind9/ lib;dns/openssldsa lank.) £|0)/10000)| 06440 |\cos0ses9Eidara0Gdd3tlo3t2oc3 f4adeI2ddcd9a2d97 9c 
Oacc88d736324f550 | 

src|contrib|/contrib/bind9/lib/dns/opensslrsa_ link.c|f£|0/10000|0644/|0|fa0f7417ee9da42cc8d0 fd96ad24e7a34125e05b5ace075b 
dees73erle0rZa7 Z| 


FreeBSD/amd64 7.1-RELEASE update build complete. Please review 
the list of build stamps printed above and the list of updated 
files to confirm that they look sensible, then run 
# sh -e approve.sh amd64 7.1-RELEASE 


tO Sign the build: 


Listing 10. Approving a build 


# sh -e scripts/approve.sh amd64 7.1-RELEASE 


Wed Aug 26 12:50:06 PDT 2009 Signing build for FreeBSD/amd64 7.1-RELEASE 

Wed Aug 26 12:50:06 PDT 2009 Copying files to patch source directories for FreeBSD/amd64 7.1-RELEASE 
Wed Aug 26 12:50:06 PDT 2009 Copying files to upload staging area for FreeBSD/amd64 7.1-RELEASE 

Wed Aug 26 12:50:07 PDT 2009 Updating databases for FreeBSD/amd64 7.1-RELEASE 

Wed Aug 26 12:50:07 PDT 2009 Cleaning staging area for FreeBSD/amd64 7.1-RELEASE 


The FreeBSD/amd64 7.1-RELEASE update build has been signed and is 


ready to be uploaded. Remember to run 
# sh -e umountkey.sh 
to unmount the decrypted key once you have finished signing all 


the new builds. 


Tips Adding flags to anything other than SRV 01 80 host2.myserver.com. 
make buildworld and make obj may SRV 00 80  host3.myserver.com. 
If you build your own release using cause the build to become unreliable. 
the native make release, freebsd- Create a_ firewall rule to block Please read the source 
update-server code will work from outgoing RSI packets. Due _ to documentation. It contains valuable 


your release. AS an example, you 
may build a release without ports or 
documentation and add a custom 


a bug noted in this posting, http: 
//unix.derkeilercom/Mailing-Lists/ 
FreeBSD/stable/2009-04/msg 


information that will allow you to utilize 
all features of the software. 


kernel. After removing — functionality 00365.html, you will have many time- Afterword 

pertaining to the documentation outs and fail to update a system. This FreeBSD Update article, found at http: 
subroutine and altering the Create an appropriate DNS SRV //www.experts-exchange.com/articles/ 
buildworld() Subroutine in scripts/ record for your update server, and put OS/Unix/BSD/FreeBSD/Build-Your- 


build.subr the freebsd-update-code will 
successfully build update code on this 
release. 

Add make -3  wumpBer tO scripts/ 
build.subr tO Speed up processing. 


others behind it with variable weights. 
This effectively creates update mirrors. 


_AUCUp._ Tep. update. myserver., com, IN 


ORV 


0 2 80 hostl.myserver.com. 
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Own-FreeBSD-Update-Serverhtml, 
Originally published at Experts-Exchange 
(htto://www.experts-exchange.com). 
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Using OpenBSD and 


PF as a Virtual Firewall for Windows 


Pedro Lereno 


This article describes how to protect a Windows host with a basic configuration of an 
OpenBSD virtual machine with PF as a NAT router and firewall. 


ith the increasing usage of third-party networks The Windows firewall, by default, has many open ports to the 

(like hotel networks and wireless hotspots) people local network, like the file and print sharing service ports, which 

are increasingly putting their Windows laptops are the source of many security holes. Some malware changes 

at risk. When we connect to unknown networks, settings on the Windows firewall and hides those changes. There 
we lose the protection of our home NAT router or enterprise is nothing better than a different OS in the middle to keep track 
firewall. of our network traffic. 


+- Local Area Connection Properties 
General | Authentication | Advanced | General | Authentication | Advanced | 
Connect using: Connect using: 
| I Broadcom NetXtreme 57xx Gigabit C | B® Broadcom NetXtreme 57xx Gigabit C 
This connection uses the following items: This connection uses the following items: 
I Client for Microsoft Networks | 3" NetProbe Packet Driver 


M) {B) Véware Bridge Protocol () WF Network Monitor Driver 
LJ = Deterministic Network Enhancer ] = Intemet Protocol (TCPAP) 


Install... Properties | 


Description Description 
Allows your computer to access resources on a Microsoft Allows your computer to access resources on 4 Microsoft 
network. network. 


I¥ Show icon in notification area when connected IV Show icon in notification area when connected 
IV Notify me when this connection has limited or no connectivity IY Notify me when this connection has limited or no connectivity 


Figure 1. Unselect all items except VMware Bridge Protocol Figure 2. Be sure to unselect Windows TCP/IP 
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Because of that a new kind of device 
has been born: portable travel routers. 
With that in mind, why not create our own 
travel router inside our laptop. 

After reading the great article from Prof. 
Vassilis Prevalakis from Drexel University 
in Philadelphia (http://www.prevelakis.net/ 
Papers/VirtualFirewall.pdf), | decided to 
build my own virtual firewall. 


Preparing the Host Machine 

First we need to install ad new VMware Server 
virtual machine. After the machine is built 
and configured with the correct hardware 
interfaces we can deploy to other hosts with 
the lightweight VMware Player. 

| have chosen VMware because of 
my experience with it. | didn’t try this setup 
with other virtualization products but | think 
it will work in the same way. 

To get VMware go to _http:// 
www.vmware.com, select Products and 
VMware Server (a free virtual server). To 
download the product you have to register. 
Once downloaded, install VMware. 

In order to make your Windows host 
invisible to the outside world, configure 
your Windows network adapter with only 
the VMware Bridge Protocol selected 
(Figure 1). Be sure to unselect Client for 
Microsoft Networks and Internet Protocol 
(TCP/IP) (see Figure 2). 

On Vmnetl, configure the default 
gateway and the DNS servers. The default 
gateway will be the IP address of the host 
only interface (vic1) of the virtual machine 
(VM). The other interface of the VM is 
bridged with the real interface (Figure 3). 
The Vmnet8 Windows interface may be 
disabled. 

The host only interface connects only 
to the host; the bridged interface is shared 
with the physical interface. 

We can check the Windows IP 
configuration with the command ipconfig: 

Ethernet adapter VMware’ Network 
Adapter VMnett1: 


Connection-specific DNS Suffix 
IP Address. 
t 192,168 .21.1 
Subnet Mask . 
f 2oo,295~¢250e0 
Default Gateway . 
¢ 192. 1Cyl eZ 


WINDOWS HOST 


Figure 3. Virtual scenario: Windows host connected to NAT router 


VMware Infrastructure Web Access (lereno@rangelxp) - Mozilla Firefox 


File Edit View History Bookmarks Tools Help 


@imrcxa 


|2) Most Visited 4 Getting Started © Latest Headlines 


https: //rangelkp :8333/ui/#{e:"HostSystem |ha-host", w :{t:true, i:0}} 


gi) ¥Mware Infrastructure Web Access (lereno@rangelxp) 


Help | Virtual Appliance Marketplace | Log Out 


ngeldom.pt 
angel» al Machines Tasks | Events | Permissions 
=| Commands 
& pfser 
ei) Ls = rangelxp.rangeldom.pt aad Create Virtual Machine 
Bel rer Add Virtual Machine to Inventory 
Add Data stores 
Configure Options 
rs Intel(R) Pentium(R) D CPU 2.80GHz Edit Host Dettings , 
4 BRUTE Edit Virtual Machine Startup/Shutdown Settings 
enUEaURS Refresh Network List 
Si 977.00 MHz 
¥Mware Tips im 
1014.06 MB 
Snapshot =a al! 556 MB 
| ‘Capacity ‘Free Space Location 
74.49 GB 40,17 GB C:\Wirtual Machines, 
Console = Move up to production-ready virtualization! It's never 
F been more cost-effective to get a scalable solution. 
~ iennes Ripe — Learn More, 
i | vmneto bridged 
HostOnly yvmnetl hostonly 
NAT vmnets nat 
—' 
Task Target |Status Triggered at © Triggered by Completed At 


| rangebyp:6333 || Omeafeesteadvisor z 
[@vmwarel.. @)2|« BW 14:05 


BEC:\WINDO... | B openbsd_vf... | W figi.bmp - ... 


@Start| (9 @ ” ePPulTY (ina... | Network Co... 


Figure 4. VMware Server: Virtual Machine creation 


ed Create ¥irtual Machine x 


Pages 
Name and Location 


Guest Operating System 


Select the operating system you plan to install in your virtual machine. 
Your selection will be used to recommend settings and optimize 
performance. 


Guest Operating System 


Memory and Processors 


Once the virtual machine has been created, you will need to install this 


Hard Disk operating system from your own installation disc. 


Properties 
Operating System: © Windows operating system 
Novell Netware 
Solaris operating system 


Network Adapter 


Properties 


Linux operating system 
@ Other operating systems 


Other (32-bit) ha 


Product Compatibility 


CD/DVD Dnve 


Properties 


Version: 


Floppy Drive 


Properties 


USB Controller 


Figure 5. VMware Server: Guest Operating System selection 


Back Next Cancel 
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é Create Virtual Machine 


Pages : a Memory and Processors | 
Name and Location « 
Guest Operating System Memory 


Increasing a virtual machine's memory allocation can improve its 
performance but may also impact other running applications. 


—— ili Size: | 128 | MB 
Recommended Size (256 MB) 


Properties Recommended Minimum (32 MB) 
The guest operating system may not start up below this size. 


rhs Recommended Maximum (8192 MB) 
Properties Memory swapping may occur above this size. 


Processors 


Select the number of processors carefully. We do not recommend 
reconfiguring this value after installing the guest operating system. 


OMmtr ller — : 
Count: | 1 vw 


v 


co 


Figure 6. VMware Server: Virtual Machine memory and processor 


fe Create ¥Yirtual Machine x 
En ] 
| Pages _— 7 Properties — 7 
Name and Location « 
Guest Operating System How much software and data should this hard disk be able to store? 
Memory and Processors Capacity: | > a GB 
Hard Disk Location: | [standard] PF/PF.vmdk —— || Browse... | 


40.17 GB available 
Network Adapter File Options 

Disk Mode 

¥irtual Device Node 


Policies 


on 


= 


Figure 7. VMware Server: Virtual Machine disk configuration 


ef Create ¥irtual Machine 


Pages Properties — 


Name and Location “| Which network will your virtual machine access? 
Guest Operating System 


Memory and Processors Network Connection: Bridged vy 


Connect at Power On: | Yes 
Hard Disk 


Properties 
Network Adapter 


CD/DVD Drive 


Figure 8. VMware Server: Virtual Machine network connection 
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There is no IP configuration on the external 
interface. 


Installing VMware Server 

Open VMware Infrastructure Web access 
and authenticate with your Windows 
account. Go to Virtual Machine menu 
and select Create Virtual machine (see 
Figure 4). 

Give a name to this virtual machine (in 
this example it was PF) 

Select the operating system: Other 
operating System: Other (32-bit) (see 
Figure 5). 

Select memory size 128 MB, use of 1 
processor (see Figure 6). Create a new 
virtual disk with 2 GB (see Figure 7), 
default settings. Add Network Adapter, one 
network connection bridged (Figure 8). 
Use the CD physical drive, or the ISO image 
to install the operating system (install45.iso 
from htto://openbsd.org). Don’t have floppy. 
The USB controller might be useful to 
direct connect USB network interfaces (for 
example 3G modems). After finishing this 
wizard, go to the virtual machine summary 
page and on the right side menu select 
Add hardware, select network adapter and 
then choose network connection HostOnly 
(see Figure 9). 

This is the summary of the created 
virtual machine (see Figure 10). Power On. 


Installing OpenBSD 

| have chosen OpenBSD and PF for the 
virtual appliance because of the strong 
security of the OS and the easy to 
understand commands of PF (for those 
used to Cisco, these rules are familiar). On 
the listing 1 you can see the installation of 
OpenBSD. Pay attention to the interface 
cards IP addresses. The system has only 
one system partition and the swap for an 
easy install and understanding. 


Installing Some Tools 

and PF Configuration 

Uncomment the following line of the file of 
/etc/sysctl.conf by deleting the #: 


net.inet.ip.forwarding=1 
This option permits the traffic flow between 


the two interfaces. We are not considering 
using multicast and ipv6, but if necessary, 


Using OpenBSD and PF as a Virtual Firewall for Windows 


uncomment those lines too. Activate PF in 


jete/rcwcont.lecal,: 
pf=YES 


Restart to activate the changes. Add the 
following line to /etc/hosts file: 
192316822151 locale 


Install these packages that can be useful for 
monitoring network traffic from the intemet. 


# export PKG PATH=ftp:// 
ftp3.usa.openbsd.org/pub/OpenBSD/4.5/ 
packages/i386 

# pkg add pftop 

# pkg add ntop 


If you are familiar with top for process 
management, these tools work in the 
same format and can be useful to track 


Listing 1. OpenBSD installation on the Virtual Machine 


choose install (i) 


Terminal type vt220 


network connections and firewall activity. 
This is an example of a very simple 
p£.conf configuration: 


/etc/pf.conf 

Scrub in 

nat on vicO from vicl:network to any 
“> Vico 

block an. all 


pass in on vicl 
Testing the firewall rules: 
#pfctl -nf /etc/pf.conf 
adding the rules: 


#pfctl -vf /etc/pf.conf # v-verbose 


output 


We are blocking all incoming traffic from 
the external interface, permitting traffic 


Symbolic mame Or vrel. pr aint 


Do you want to change the media options? no 


keyboard mapping, in my case was pt 
Procced with install? yes 

Which one of the root disk? sd0 

Use all disk for OpenBSD 

Pee 18) 

offset: [63] 

size: [4192902] 256m 

Rounding bo cylinder: 530032 

FS type: [swap] 

> a a 

offset [530145] 

size [3662820] 

FS type: [4.2BSD] 

mount point: [none] / 

7q 

Write new label?: y 

Are you really sure that you are ready to proceed? yes 
System hostname? PF 

Configure network? yes 

Available interfaces are: vicO vicl. 
Which one do you wish to initialize? vic0O 
Symbolic name £0r vic? pi ext 


Do you want to change the media options? no 


IPv4 address for vic0? dhcp 


IPv6e for vicO? none 
MVATLILAIOILE SLINEEIFIEACSS aicS2 Wale . 


Which one do you wish to initialize? vicl 


Pw acclicese aceie Wael? 192,168.21 .2 
Netmask? 255.255.2550 


LEW igehe YALE? nome 


DNS domain name? 


from opendns) 


Use the nameserver now? yes 

Default IPv4 route? dhcp 

Edit host with ed? no 

Do you want to do any manual network configuration? no 
Password £Or root account: 

Location of the sets? cd 

Which one contains the install media? cd0 


Pathname to the sets? 4.571386 


(put yor default domain) 
DNS nameserver? 208.67.222.222 208.67.220.220 (example 


from the internal interface, and making 
NAT. Now we have access from our 
internal Windows host to the outside 
world. We can try nmap from the outside 
to check for open ports. 


Connect to the 

Corporate VPN 

Our corporate firewall is a Cisco 
ASA. Our remote teleworkers connect 
through Cisco VPN client software. To 
resolve this problem while not opening 
unnecessary holes in our virtual firewall, 
we use the package vpnc. Installing the 
package: 


#export PKG PATH=ftp://ftp3.usa.open 
bsd.org/pub/OpenBSD/4.5/packages/i386 
#pkg_ add vpnce 


Use a new pf configuration (NAT has 
changed because of VPN): 


Set name? done (leave the default) 


Ready to install sets? yes 


Locations of the sets? done 

Start ssh by default? yes 

Start nipad by default? no 

Do you expect to run X Windows system? no 
Change the default console to com0? no 


What timezone are you in? Portugal (choose your own) 


halt 
unplug the iso cd 


WALI UelIL NeKelaaLinS 


(point to physical) and reset your 
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ke) Add Hardware Wizard x 
ihn | 
| Pages ~ || Properties — 7 7 SS ; | 
Hardware Type 
Which network will your virtual machine access? 
4 , 
Network Adapter Network Connection: HostOnly ind 
Connect at Power On: |v Yes 
co cancel | 


Figure 9. VMware Server: adding hardware to the Virtual Machine 


Hardware 


:.) - Processors 1 


vy Memory 128 MB 


G2 vy Hard Disk 1 (SCSI 0:0) 2,00 GB 


wD, Network Adapter 1 Bridged 


Lx) od Network Adapter 2 HostOnly 


@ ~ cb/ovD Drive 1 (IDE 1:0) Using file install45.iso 


© ~ scsi Controller 0 


LSI Logic 


Figure 10. VMware Server: Virtual Machine hardware 
configuration 


set skip on lo 

set skip on tun0 

scrub in 

nat on tun0 from 1 (tunQ) to any —> 
(tun0) 

block. an. Log all 

pass on tun0Q 


pass from {100, vicl:network, vic0O} to 


any keep state 


Fill the file /etc/vpnc/default.conf with your 
Cisco VPN client access profile. Start the 
vpn: 


WINDOWS HOST 


#vpnc 


#ifconfig tunO mtu 1452 


The default mtu size for tunO is 1414, this 
is sufficient if our host was the virtual 
appliance, but is insufficient for the NAT’ed 
host before (Figure 11). 

You can see the encrypted 
network traffic with command: 


ipsec 


#tcpdump -e -ttt -n -i vic0 
Or the unencrypted traffic: 
#tcpdump -e -ttt -n -i vicl 


Conclusion 
This method is not as safe as having an 
external device, but it is safer than many 
default router configurations with, for 
example, Universal Plug-and-Play (UPnP) 
enabled. 

We can make it a lot safer from 
unexpected Windows behavior, by using 
a non-admin account without privileges 


Concentration 


Figure 11. VPN encapsulation on the Virtual Router 
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« The 
Prevalakis — 
Papers/VirtualFirewall. pdf 


Virtual Firewall —-— Vassilis 


www.prevelakis.net/ 


¢  Firewalling with OpenBSD's — PF 
packet filter — Peter Hansteen — http: 
/www.bsdly.net/~peter/pf.html 

De i User Guide _ http:// 
www.openbsd.org/fag/pf/index. html 

¢ Pfsense — http:/www.pfsense.com/ 


to change network interfaces and VMware 
Authentication service to boot the VM as 
a non-Administrator account. 

Those not familiar with command- 
line configuration of PF can use Pfsense. 
Pfsense is a _ FreeBSD _ distribution 
customized for routers and firewalls with 
a nice web interface to manipulate PF 
rules. After booting the ISO live image 
available on VMware Server or using the 
VMware appliance in VMware Player, we 
choose le0 (bridged) to WAN interface 
and le1 (host-only) to LAN, then all the 
configuration is done on the browser. 

All of these examples were made 
with Microsoft Windows XP Professional 
(US English) as the host system and 
OpenBSD 4.5 in the Virtual Machine. My 
objective was to describe the preparation 
of the host system, the VM, and the way 
they interconnect step by step. Many more 
things can be done with PF that | didn't 
mention. Read the references for going 
deeper into PF. 

This can also be a good way to test 
complex firewall rules before applying 
them to the corporate firewall. Or, if you 
cannot get rid of your Windows desktop 
because of some applications, it is a good 
way to get the best of both worlds. 

| hope you enjoy the Virtual Firewall. 
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Keeping FreeBSD 


Applications Up-To-Date 


Richard Bejtlich 
Principal Technologist and Director of Incident Response, General Electric 


An important system administration task, and a principle of running a defensible 
network, is keeping operating systems and applications up-to-date. 


unning current software is critical when older services 

are vulnerable to exploitation. Obtaining new features 

not found in older applications is another reason to 

run current software. Fortunately, open source software 
offers a variety of means to give users a secure, capable 
computing environment. 

This article presents multiple ways to keep FreeBSD 
applications up-to-date. | use a FreeBSD 71 system, and 
subsequent versions, to demonstrate how to install applications 
not included with the OS and how to keep those applications 
up-to-date. It is important to realize that this article discusses 
applications only; it does not discuss the OS. FreeBSD does not 
have a unified update mechanism for the OS and applications. 
By applications | mean software outside of the kernel and 
userland. For example, Debian systems can use the apt tool 
to keep the distribution and packaged applications up-to-date. 
FreeBSD does not have a single equivalent tool, so this article 
only addresses keeping applications up-to-date. 

In this article | do not differentiate between an update and an 
upgrade. | will use the term update to describe any action that 
changes the version of an installed application. 

| chose FreeBSD 71, released in January 2009, as my 
starting point because applications for it offer a security history 
Suitable for describing multiple update cases. At the time of 
writing FreeBSD 72 is the latest STABLE release and 8.0 is now 
available. Readers wondering why someone might want to install 
an old OS version can imagine that there might be an application 
supported only on FreeBSD 71 and not yet officially ready for 72 
or 8.0, prompting an administrator to run a 71 box. 

All of the work done in this article was done remotely 
via OpenSSH. One danger of performing remote upgrades 
is losing connection during a critical phase of the process. 
One software-based way to deal with this issue is to 


conduct all remote upgrades within a screen(1) session. 
(htto://www.reshports.org/misc/screen) Should you — lose 
connectivity during the upgrade while running screen, your 
session will continue uninterrupted. The screen(1) program has 
suffered security problems in the past, so balance its features 
against the possible risks. 

My advice on administering this reference platform is based 
on deploying FreeBSD on servers, workstations, and laptops 
since 2000. The article represents a mix of my interpretations 
of official FreeBSD documentation, inputs from mentors, and the 
result of my own experimentation and deployment strategies. 
This guide cannot be anywhere near a complete reference on 
keeping FreeBSD up-to-date or maintaining a secure system. 
| strongly recommend reading the excellent FreeBSD Handbook 
as well as the multiple helpful published books on FreeBSD. 


FreeBSD Handbook and 
Absolute FreeBSD 2nd Ed 


Please note that Chapter 4, Installing Applications: Packages 
and Ports, is the authoritative source for information on keeping 
FreeBSD applications up-to-date (http://wwwfreebsd.org/doc/en/ 
books/handbook/ports.html). The reason | wrote this article was to 
show how these various mechanisms apply in practice, and which 
| prefer in production. | must also recommend Michael W. Lucas’ 
excellent book Absolute FreeBSD, 2nd Ed (No Starch, 2008). 
Several other excellent FreeBSD writers have produced books, but 
Michael's is my favorite. For deeper coverage on the topics in this 
article, please see the Handbook or Michael’s book. 


A Common Linux Experience 

FreeBSD’s_ application installation, maintenance, and removal 
process is sometimes confusing to those with a Linux background. 
For purposes of a brief comparison, | will demonstrate how to 
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install the Curl application on a Debian 5.0 
host using the apt-get tool. For authoritative 
documentation on using APT, please see 
http://www.debian.org/doc/manuals/apt- 
howto/ To install Curl, the user simply enters 
apt-get install curl (see Listing 1). 

That is easy enough! 


Simple Package Installation 

on FreeBSD 

FreeBSD users can install Curl using 
a similar method (see Listing 2). 

First we set a proxy for our environment. 
The -v switch permits seeing verbose 
output. The command to install the Curl 
package on FreeBSD from a remote 
package repository requires the -r switch. 
You can see the location from where the 
package was retrieved in this output: 
document: [/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/curl.tbz] 
...edited... 

Fetching ftp://ftp.freebsd.org/pub/ 
FreeBSD/ports/i386/packages-7.1- 


release/Latest/curl.tbz... 


If you visit the FIP server and look at the 
directory, youll see that curl.tbz is really 
a symlink to the following: 


ftp://ftp.freebsd.org//pub/FreeBSD/ 
ports/i386/packages-7.1-release/All1/ 
eurl=-7.136.0.rbzZ 


The packages-7.1-release directory means 
that the package curl-7.18.0.tbz is the 
version of the package built for the release 
of FreeBSD 71, as was shipped on CD. 
Newer versions are available remotely and 
| will describe how to acquire those later. 

The pkg info Command shows the 
Curl package is now installed. | issue the 
rehash Command to ensure that curl is in 
the path for the users shell. 


Checking for Vulnerable 

Packages with Portaudit 

FreeBSD’s Portaudit tool is the easiest way 
to determine if any installed packages 
have security vulnerabilities. Portaudit 
relies on the FreeBSD VuXML site (http:// 
www.vuxmlorg/freebsd/) for knowledge of 
vulnerable packages. Don't worry about the 
term port vs. package right now; I'll address 
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it soon. To see if the installed packages has a security vulnerability that requires 
have any vulnerabilities, install and run a patch. We'll address ways to fix that in the 


Portaudit (see Listing 3). We see that Curl following sections. 
Listing 1. Installing curl on Debian using apt-get 
shuttle02:~# uname -a 


lhanux shuttled? 256.260-l-686 41 SMP Fri Mar 12 18708545 UTC 2009 12686 GNU7 


Hy DINOS 


shuttleQ2:-F7 apt-get anstell curl 

Reading package lists... Done 

Building dependency tree 

Reading state information... Done 

The following extra packages will be installed: 
Ca-certaticates daibcurl3) LTibssho—1 openss! 

The following NEW packages will be installed: 
Ca-cCertiticarces curl libeurl3) Ivossn2—=l openssl 

O upgraded, 5 newly installed, 0 to remove and 1 not upgraded. 

Need to get 1687kB of archives. 

After this operation, 4133kB of additional disk space will be used. 

EM7nlee y 


Get:1 http://http.us.debian.org stable/main openssl 0.9.8g-15+lennyl 


Do you want to continue 
[1036kB] 
Get:2 http://security.debian.org stable/updates/main libcurl3 7.18.2-8lenny3 
[228kB] 

Get:3 http://http.us.debian.org stable/main ca-certificates 20080809 [151kB] 
Get<4 http://http.us.debian.org stable/main libssh2-1 0.18-1 [64.3kB8] 
Get:5 http://security.debian.org stable/updates/main curl 7.18.2-8lenny3 
[208kB] 


Fetched 1687kB ian Is (1290kB/s) 


Preconfiguring packages 
Selecting previously deselected package openssl. 


(Reading database ... 51192 files and directories currently installed.) 


Unpacking openssl (from .../openssl 0.9.8g-15+lennyl i386.deb) 


Selecting previously deselected package ca-certificates. 


Unpacking ca-certificates (from .../ca-certificates 20080809 all.deb) 


Selecting previously deselected package libssh2-1. 


Unpacking Iibssh?—-i “(from ...7/ libssi2—1 0. 18-1 1396 .deb) 


Selecting previously deselected package libcurl3. 


Unpacking Tibcurl? (from .../libcurl3 7.18. 2-clenny3 138¢6.deb) 


Selecting previously deselected package curl. 


Unpacking curl (from ..../curl, 7.18 .2-Slennys 1386. deb) 
Processing triggers for man-dbo .... 

Setting up openssl (0.9.8g-15+lennyl1) 
Setting up ca-certificates (20080809) 

Updating certificates in /etc/ssl/certs....done. 

hooks in /etc/ca-certificates/update.d....done. 
COVeal ails) 


(7 LS 2-slenny3) 


Running 
Setting up libsshZ—1 
Setting up Libeurls 


Setting up curl (/.le7Z-clenny3) 
shuktleOQ2:~F which curl 


JUST itt / ear ll 
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Listing 2. Installing curl on FreeBSD using pkg_add 


freebsd/# uname -a 
FreeBSD freebsd7.localdomain 7.1-RELEASE FreeBSD 7.1- 
RELEASE #0: Thu Aug 20 11:24:04 EDT 2009 root@freebs 


@/.tocaldomaim: /USt/ Ob] /ust/SrC/s7s/ FREEBSD) “A366. 


freebsd) se setenv ATi? PROXY heto:77172. 10. 2-123128 


ELSeCHSC) 7 Deg edo =v curt 


scheme: mee 

Wis eae [ ] 

password: |] 

host. [ftp.freebsd.org] 

POL: [0] 

document: [/pub/FreeBSD/ports/i386/packages-7.1-release/ 


atest, curl. to7] 


scheme: Daisies 

Ser. fal 

password: [] 

Hoste: al ee i az sald] 
POrt: [3L264 
document: [/] 


ae ell Vz eNotes elk co plly zy 3! 

Pook imer nae lif 2 6 2 21. 

Connecting. to: li 2 lo.2 -lesize 

requesting ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/curl.tbz 

>>> GET ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/curl.tbz HTTP/1.1 

Po> HOS: Ltp.treepsd.org 

>>> User-Agent: pkg add libfetch/2.0 

>>> Conmectron: close 

= 

<<< HTTP/1.0 200 Gatewaying 

q<< Server: Squid/2.7/-STABLEG 

<<< Mate: Mon, 24 Aug 2009 19:52:19 GME 

“<- Content -lyoe> fext/olain 

<<~ Conmtenr—Lengin: V0ss79) 

content length: [1L0e3sZ97 | 

<<< Last-Modified: Mon, 08 Sep 2008 10:45:09 GMT 
last modified: (2006-09-08 10:45:09] 

<<< X-Cache: MiSs Erom 1rZ00a. tagsecurity.com 

ax Wie 1.0 PZ 00a tacsecurity “come 3b25 (squid 
241 .S TABLES) 

<<< Connection: close 

Ke 

Obiser 0) lengri <L,) size -—l, clengen 10383297 
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/curl.tbz... 

x trCONTENES 

x +COMMENT 

x DESC 

eRe Diline 


x man/manml/ecurl gz 


2. ned Ted... 
x share/examples/curl/synctime.c 
tar command returns 0 status 
Done. 
extract: Package name is curl=-7.18.0 
extract: CWD to /usr/ local 


extract: /usr/local/man/manl/curl.1.dqz 


-.-edited... 

extract: /usr/local/share/examples/curl/synctime.c 
extract: execute '/sbin/ldconfig -m /usr/local/lib' 
exSEracks. “GWl) to 


Rune) Mares Por cum), Ik Win. 

miree -U -£ +MIREE DIRS -d -e -p /usr/local >/dev/null 
Attempting to record package into /var/db/pkg/curl- 
Niele Or. 

Package curl-7.18.0 registered in /var/db/pkg/curl- 
Canis 0) 

Ereehsd 7 6G 17rc 
Gurl 7. es 0) Non-interactive tool to get files 


from FTP, GOPHER, HTTP(S) 
freebsd7# rehash 


Listing 3. Installing portaudit on FreeBSD 


PLeebso i; PRO ada —2 pcr raudis 

Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/portaudit.tbz... Done. 
===> To check your installed ports for known 
vulnerabilities now, do: 


jusic/ kocal/sbimn/portauidit -rda 


freebsd/7# rehash 


freebsd7# portaudit -Fdav 


Attempting to fetch from http://www.FreeBSD.org/ports/. 
auditfile.tbz MOOS OF 

dine ale) Ce keps 

New database installed. 

Database created: Mon Aug 24 15:10:03 EDT 2009 

Affected package: curl-7.18.0 (matched by 
curl>=5.11<7.19.4) 

Type Of problem: curl —— cURL/libecURL Location: Redirect 
URLS Security Bypass. 

Reference: <http://www.FreeBSD.org/ports/portaudit/ 


5d433534-f41c-402e-ade5-e0a2259aT7cb6.html> 


1 problem(s) in your installed packages found. 


You are advised to update or deinstall the affected 


package(s) immediately. 
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FreeBSD Package Repositories 

It is important to understand what 
version of packages are made available 
through the FreeBSD project. Visiting ftp:// 
fto.freebsd.org//pub/FreeBSD/ports/i386/ 
shows whats available for the i386 
platform. (The FreeBSD team also regularly 
builds packages for the amd64 platform, 
see Listing 4) 

For the purposes of our system 
(running a version of FreeBSD 7x), we care 
about the packages- /* directories. 

Earlier we installed Curl and it was 
retrieved from the packages-/1-release 
directory. The packages- 72-release directory 
is likely to contain a newer version of Curl 
since 72 was released months after 71. If we 
check that directory, we find cur1-7.19.4.tbz 
is available, with a build date of Apr 21. 

Looking back at our Portaudit output, 
we see that the 719.4 is not vulnerable 


(matched by curl>=5.11<7.19.4) 


Lets remember that for now, but also look at 
the other packages-/* directory, packages- 
7-stable. In that directory we find curi- 
7.19.6 1.tbz available, with a build date of 
Aug 22. That version is also not vulnerable. 

So what does packages- /-stable mean? 
That directory contains the latest packages 
built for FreeBSD 7x. If you're thinking that 
you might want to install packages from that 
site on a regular basis, you are right. I'll cover 
that soon. For now we want to know how to 
update Curl to a newer version. 


Updating Packages 

by Deletion and Addition 

Deleting an installed package and adding 
a new version is one way to update 
a package. The easiest way to accomplish 
this goal is to change to the /var/db/ 
pkg directory and use the pkg delete 
command (see Listing 5). 

With Curl deleted, we can add the new 
version. For demonstration purposes we'll 
add the version shipped with FreeBSD 
72 RELEASE. To tell pkg ada how to get 
that package, we set the PACKAGESITE 
variable (see Listing 6). 

Curl is now _ installed. Notice that 
a dependency, was also 
installed. If we rerun Portaudit, the vulnerability 
should be eliminated (see Listing 7). 


ca_root_nss, 
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That process seems simple enough. 
However, it is probably not convenient 
to delete and add every package on 
a system when the administrator wants 
to update the packages. To run a more 
automated update system, we have to 
turn to the FreeBSD ports tree. 


Introducing 

the FreeBSD Ports Tree 

Thus far we have worked with FreeBSD 
packages. They are convenient, but they 
do not independently support an update 
mechanism. The reference against which 
packages are compared to determine 
their freshness is the FreeBSD ports tree. 
On our reference FreeBSD 71 system, we 
installed the version of the ports tree that 
shipped with FreeBSD 7.1 RELEASE. 

The FreeBSD ports tree can be 
found in the /usr/ports directory (see 
Listing 8). For the purposes of this article, it 
is sufficient to know that FreeBSD ports are 
a framework upon which application source 
code is installed on a FreeBSD system. 


Listing 4. pub/FreeBSD/ports/i386 directory listing 


2006 
ie 
2008 
rallies Sy 
2008 
13342 
ZA 
ie 0a 
00232 
2008 
2008 


Geir 23 symbolae “Lani 


Aug 24 Directory 
Now 321 Directory 
Aug 22 Directory 
Dec 22 Directory 
May yl Directory 
Aug 20 Symbodac Tami 
Aug 24 Directory 
Aug 18 Directory 
Feb 9 Symbolic Lank 


Man) il Symbolic Tank 


Ereebsd) 7 >hg taro 
curly.) 
Be EP (CS) 
POrtraudiE—U.5 212 
vulnerabi 
freebsd7# cd /var/db/pkg/ 
freebsd7# Ils 

curl=7 io.) 

freebsd/# pkg delete curi-7.18.0/7 
Meets leisyel] jel on acs ©) 
poOrravdilE=O 5.12 


vulnerabi 


packages -> packages-stable 
packages-6-stable 

packages-6.4-release 

packages-7-stable 

packages-7.1-release 
packages-7.2-release 

packages-8-current -> packages-8-stable 
packages-8-stable 

packages-9-current 

packages-current -> packages-8-current/ 


packages-stable -> packages-7-stable 


Listing 5. Removing a FreeBSD package with pkg_delete 


Non-interactive tool to get files from FTP, 


Checks anstaliled perts sqains: a list or Securmey 


Checks anstalled ports against a list of Security 


Updating 

the FreeBSD Ports Tree 

The easiest way to update the FreeBSD ports 
tree is to use Colin Percival’s Portsnap tool 
(htto://www.daemonology.net/portsnap/), 
now shipped with FreeBSD. First run portsnap 
fetch to download a compressed version of 
the FreeBSD ports tree needed by portsnap 
(see Listing 9). 

In the future, we do not need to 
rUN portsnap extract. Instead, we run 
portsnap update. 

With the FreeBSD ports tree installed, we 
can use the pkg version tool to check what 
packages need to be updated. This checks 
for any update, not just security updates as 
we saw with Portaudit (see Listing 10). 

As we can see, two of our packages 
(Curl and Portaudit) have newer versions 
available. 


Reading /usr/ports/UPDATING 


Itis important to read /usr/ports/UPDATING 
before invoking Portupgrade. We have not 
done so yet because these examples have 


GOPHER, 
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Listing 6. Installing a newer curl package using pkg_add 
freebsd7# setenv PACKAGESITE ftp://ftp.freebsd.org//pub/ Package ‘curl=7.19.4" depends on "ca root mss—3 11.9527" 
FreeBSD/ports/i386/packages-7.2-release/Latest/ Wath "Security/ca root nss origin. 
PLES]; Prelado =) aurt scheme: bmeje 
scheme: [fee] user: [ J 
user: [ J password: [] 
password: [] ines: [ftp.freebsd.org] 
host: [ftp.freebsd.org] pert: [0] 
DOLE: [0] document: [//pub/FreeBSD/ports/i386/packages-7.2- 
document: [//pub/FreeBSD/ports/i386/packages-7.2- release/All/ca root mss-3.11.79° 2.1bz) 
release/Latest/curl.tbz] scheme: [het] 
scheme: Bickers en user: [ J 
user: fa password: [] 
password: [] host: Pelle cy ee aecall 
ghey cha [ely I cr enh Derr: [323 | 
Wort. bones | document: [/] 
document: [/] Sao 26.2. e128 
ee Oe el Gels Looking up a2 6.251 
dE oy oy, cil ghe wash oe lle oer ora aanl Commeciinc co U2 le. 2s 
Connecting to L722. ie.2,h-3128 requesting ftp://ftp.freebsd.org//pub/FreeBSD/ports/ 
requesting ftp://ftp.freebsd.org//pub/FreeBSD/ports/ 1386/ packages—/.2-release/All/ca root mss-3.11.9 2.tbz 
1386/packages-7.2-release/Latest/curl.tbz >>> GET ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
S>> GE ftp: //ttp. freebsd. org/ /pul/WreeksSb/ ports/i386/ Packages—/ jZ-rellcase/All/ca root mes—-3. 11.92 tbr Hired 
packages-7.2-release/Latest/curl.tbz HTTP/1.1 Poe Hosts feos trecosa org 
>>> Host: Ltp.freebsd.org >>> User-Agent: pkg add libfetch/2.0 
>>> User-Agent: pkg add libfetch/2.0 eo> Connmecevon:. close 
>>> Connection: close See 
Se <<< HTTP/1.0 200 Gatewaying 
<<< HTTP/1.0 200 Gatewaying <<< Server: squid/2./7.SITABLES 
<<< Server: squid/2.7.STABLE6 <<< Date: Mon, 24 Aug 2009 20:01:02 GMT 
<<< Date: Mon, 24 Aug 2009 20:00:58 GMT <<< Content-Type: text/plain 
<<< “COntenislype: Eext/olain <<< Content-Lengin: 172602 
<<< Content-Length: 1097934 content, length: [172602 | 
content length: [1097934] <<< Last—-Moditied: Mon, 13 Apr 2009 21:00:07 EMT 
<<< hast—-Modimed: Mon, 13 Apr 2009 21:16:46 EMT last modited: [2009-04-15 21:00:07] 
laste modameds (2000-04-13 21218746) <<< K-Cache: MISS from 1r200a.tacsecurity com 
<<< X-Cache: MISS £Erom 1Z00a. tacsecurity.com <<< View 120 ©200astacsecurity com: 3128 “squid 
<<< Vila? 0 £200a,tacsecurity «coms 3178 (squmd 2.7.STABLEG6) 
227.5 UAB LEG) <<< Connection: cllose 
<<< Connection: close 4 
a oLrset 0, length =1, size —L, clengria 17/2602 
offset 0, length —l, size -—l, cClemgth 1097934 Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ Dackages-7.2-release/All/ca root mes-—3.11.9 2.tbz.., 
packages-7.2-release/Latest/curl.tbz... x +CONTENTS 
x +tCONTENTS xX +COMMENT 
x +COMMENT x PESe 
Be sAIDISC = MIRE DiS 
x GMURER DIRS % Shate/ certs/cCa-1oet-nss. crt 
than / Manly cura saz tar command returns 0 status 
Ps,edited ..-. Done. 
x share/examples/curl/threaded-ssl.c Pimished loading-cay root mss-3.1159 2 over FIP. 
tan Commenced returns 0 status extrace; Package Mame as Career mes—3. ll 9 2 
Done. extract: CWO te /usr/ local 
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Listing 6. Installing a newer curl package using pkg_add (cont) 


extract: 


exprace + ICwWD Meco 


RUMMINC: MELeCe EGE ca root mss — 3 ils 9) 2. 


jusr/ local) share/certs/ ca-r1roct -nss. cre 


mires -U'=£ +MIREE DIRS -d -e -p /sr/local >/dev/null 


AGLeMmpEIng tO “ecord package imte /var/db/pkg/ca root mss—3, 1.9 2... 


Package. Cal root mss—-3.11.9 2 reqistered in) /var/db/pkg/ca root mss-2.1l.9 2 


(eee Eoce Meson lao 7 i alloaded svecesotuliy. 


extract: 
extract: CWD Eo 
extract. 
oon SOUTH eas 
extract . 
extract. 


exeraces wD ic© 


execute 


Jus) local 


Package name a8, curti—/.19.4 


pasty local] tany/ Mam, carci gz 


/usr/local/share/examples/curl/threaded-ssl.c 


‘7 sbpimny ldcontig =m /ush/ Vocal] ab * 


RUMnInNG mires f£or curcl=7,19 4.2. 


Mires -U' =f +MIREE DIRS -d =e —- ep /usr/ local >/dev/null 


Attempting toe record package inte /var/db/pkg/curl-7.19.4.. 


[rying to record dependency om package ‘ca root mss-3.11.9 2" with "security/ca root mss’ origin. 


Package curl-7.19.4 registered in /var/db/pkg/curl-7.19.4 


PLeciea7 7 kG Tmo 


Ca oOu 11ss]5 5.129 2 ine Toot -cerrineate bundle Erem the Mozilla projec: 


eurcil=7, 19,4 


POrEaualt=Un a .1Z 


Non-interactive tool to get files from FTP, 


COPHER, HIER (3) 


Checks installed ports against a list of security vulnerabi 


Listing 7. Portaudit output shows curl is no longer vulnerable 


freebsd7# portaudit -—Fdav 


Attempting to fetch from http://www.FreeBSD.org/ports/. 


26 


auditfile.tbz LOO. On 57 kB 69 kBps 
New database installed. 
Database created: Mon Aug 24 15:40:01 EDT 2009 
O problem(s) in your installed packages found. 
Listing 8. FreeBSD ports tree 
freebsd7# ls /usr/ports 
.cvsignore eligicl owive’ emulators mbone shells 
CHANGES archivers finance mise SysuEmis 
COPYRIGHT ASeELO french multimedia textproc 
GIDs audio ee) net ukrainian 
INDEX-7 benchmarks games net-im vietnamese 
KNOBS biology german net-mgmt Www 
LEGAL cad graphics net-p2p Pale 
MOVED chinese hebrew news Sil ellocks 
Makefile comms hungarian palm xll-drivers 
Mk converters alias: polish Sim 
README databases japanese ports-mgmt Siilofomes 
Templates deskutils java portuguese xll-servers 
oaks devel korean print xli-themes 
Unis distfiles lang lx ios Salem: Mb SEool ics 
UPDATING dns mail science x1l1l-wm 
accessibility editors math security 
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been fairly simple. However, there may 
be information in /usr/ports/UPDATING 
that could recommend different actions 
depending on the ports of interest. From 
now on, consult /usr/ports/UPDATING after 
you upgrade your ports tree and before 
you invoke Portupgrade. 


Installing Portupgrade 

The FreeBSD Portupgrade program 
(http://wikifreebsd.org/portupgrade) is a 
powerful tool that offers the ability to 
update packages using only packages. 
Portupgrade is a bit heavy in the sense 
that it requires installing Ruby as 
a dependency, whereas other options do 
not require such dependencies. However, 


Listing 9. Updating the ports tree with portsnap 


freebsd7# portsnap fetch 


Looking Wp porksnap.FreeBSD.org murrors. .. 
Fetching public key from portsnap2.FreeBSD.org... 


Fetching snapshot tag from portsnap2.FreeBSD.org... 


Fetching snapshot metadata... done. 
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other options do not seem to have the 
ability to dictate installing packages 
instead of building from ports. 

We'll install Portupgrade from the /7- 
stable package collection by setting the 
appropriate environment variable and then 
invoking pkg add. When we start we have 
only 3 packages installed (see Listing 11). 

After adding Portupgrade, we have 7 
packages installed. You can see the Ruby 
and Berkeley DB dependencies installed 
by Portupgrade. 


Updating Packages Using 
Portupgrade 

With Portupgrade installed, we can use 
the portversion tool to determine what 


3 MMLicweoies iweeEHiAC!. 
done. 


done. 


Fetching snapshot generated at Sun Aug 23 20:41:07 EDT 2009: 


e4a063906c569abd82cdc053dda2ced013f53d80723ef4100% of 


OOm00s 

BMEraCtiInNg Shapsiot... done. 
Verifying snapshot integrity... done. 
Fetching 
Fetching snapshot metadata... done. 
Updating 
done. 


Fetching 4 metadata patches... 


Applying metadata patches... done. 


Fetching 0 metadata files... done. 
Fetching 
done. 


Applying patches... 


Fetching 2 new ports or files... done. 
freebsd7# portsnap extract 
fuse/ports/ <evsigqnore 
/usr/ports/CHANGES 

/ast/ pores / COPYRIGHT 
er: ole = (6 marer 

(use ports /xXlil/zenity/ 
Building new INDEX files... done. 
Listing 10. Using pkg_version to check for updates 


bLecbsd) 7; Pio VereLon. = 


Ca rOOt, mess. ie 7 = 


ewuiel=7 19.4 


A 


perraudierO. 2 12 << 


snapshot tag E£rom portsnap2.FreeBSD.org... 


30 Paleches . cou: HO reece Omer ac Oe res 


59 MB. 359° kBps 


done. 


from Sun Aug 235 20741207 EDT 2009 ta Mon Aug 24 13752:56 EDI 2000. 


done. 


up-to-date with port 
Needs UpCaring (POLE Wass 119.6 1) 


néeds wpdating (port has 0.5.13) 


www.bsdmag.org 


packages need updating (see Listing 12). 
If we just want to see packages that need 
updating, we run portversion -v -1 "<", 

When we run portversion, we see it 
builds a package database (pxgab), then 
a ports database (portsab) for its own 
use. We could have used pkg version to 
produce the same output (see Listing 13). 

So, with this information, how can we 
update packages that need updating? 

The following advice is based on my 
personal preferences, but when updating 
packages | prefer to use packages, 
not compiling from source code, when 
possible. (I'll discuss alternatives later) The 
following example will update the packages 
for which newer version are available. 

First we set proxy and PACKAGESITE 
variables, and then we invoke Portupgrade 
(see Listing 14). 

When done, we can see the packages 
have been updated (see Listing 15). 

So what just happened? Portupgrade 
found that Curl and Portaudit were out-of- 
date. It downloaded the newest packages 
from the packages-/-stable directory on 
a remote FreeBSD FIP server, uninstalled 
the out-of-date package, and installed the 
up-to-date package. 

If you noticed in the Portupgrade 
Output, the program stores copies of the 
packages it downloads in the /usr/ports/ 
packages/All directory. 


freebsd7# ls /usr/ports/packages/All 


curl</;, 19.0 1.tbz2: portatdic-0\55.13.tbz 


By specifying the -a switch we told 
Portupgrade to update all packages. The 
-v switch enabled verbose mode. The 
-pp Switch told Portupgrade to only use 
packages, and it retrieved those packages 
froom the public FreeBSD package 
repository, 

There are other ways to_ invoke 
Portupgrade, such as telling it to only 
update individual packages, and then 
update their dependencies, and so on. 
| prefer this simpler approach of updating 
everything that requires it. 


FreeBSD Package Dependencies 
Dependencies are packages which are 
required in order to run other packages. 
We can use the pkg info Command to 
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Listing 11. Installing portupgrade using pkg_add 


PLeebed]; (on 12° 

Cay LOOe Miss oslo Ine loot cerriiicare bundle from tlic 
Mozilla Project 
faq tionllSoy ge tlles yas! Non-interactive tool to get files 
from FTP, GOPHER, HTTP(S) 

POLrEawaiit-O. S32 Checks installed ports against a 
list of security vulnerabi 

freebsd/7# setenv PACKAGESITE ftp://ftp.freebsd.org//pub/ 
FreeBSD/ports/i386/packages-7-stable/Latest/ 


frecbeais pro add =Vr pol eupgrade 


scheme: Lip | 

Dee ites [ ] 

password: [] 

Osi: [ftp.freebsd.org] 

POR: Rey 

document: [//pub/FreeBSD/ports/i386/packages-7-stable/ 


Latest/portupgrade.tbz] 


scheme: Raneieye | 

Ser: [ ] 

password: [] 

Oe Es ye Gee 
Perins [3075] 
document: [/] 


eee loa Zale 
eyes cobigie tree mules eral (ceaee2a-pl 
eonnectina te Li7ole.7. isa iZe 
requesting ftp://ftp.freebsd.org//pub/FreeBSD/ports/ 
1386/packages-7-stable/Latest/portupgrade.tbz 
>>> GET ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/Latest/portupgrade.tbz HTTP/1.1 
>>> HOSts ftp. rr cebsd org 
>>> User-Agent: pkg add libfetch/2.0 
>>> Connection: close 
sane eC beds 5 
RUMMING Mivee Bor DOLeupgrade—-7.4.6 3,2. : 
meres —V =f 4MIREE DIRS —d —-e —p /us1/ local >/dev/null 
Attempting to record package into /var/db/pkg/ 
POLEUpO rade —7.4 0 S725 
init yinGieO record cepencdeney "on package. fuby— ies 7 wlG0 
4" with “leng/rubyie’ origin. 
Ti ying) tO record, dependency “om package “db4l—4 Zo 
with 'databases/db41' origin. 
Trying to record dependency on package 'ruby18-bdb- 
026.501" wath "databases, ruby-bdb" origin, 
Package portupgrade-2.4.6 3,2 registered in /var/db/pkg/ 
POLEUDO rads —274 6) S72 
Pin Alk PRGDEY Section an pkgeools conn file £or 
portupgrade 
be aware of alternative dependencies you use. 
eeu 
ie eee ie S14 


'www/apachel3' => 'www/apachel3-modssl"', 
‘OrLME/GHOSESCript—qnu' => “primt/ghestscript—-qpil', 

} 

Note also, portupgrade knows nothing how to handle 
ports with different 

Sumuixes: (i gi -nNOxil). So you should exeliciEly 
define variables 

(E.g. WITHOUT Xll=yes) for the ports in /etc/ 
make. Conk or pkgtools .cont 

(MERE nGSe secre hom) ives. 
freebsd7# rehash 
freebsd; pko Intro 
Cavrooe mes [>. Vl. 97 ine Toot certificate bundle Erom tire 
Mozilla Pro jeer 
eur lL, 0 24 Non-interactive tool to get files 
from FTP, GOPHER, HTTP(S) 
dba Aa. 25e 4 
Ae 


The Berkeley DB package, revision 
PeOvraudiE- O22 s12 Checks installed ports against a 
list of security vulnerabi 

portupgrade-2.4.6 3,2 FreeBSD ports/packages 
administration and management tool s 
tuby—ls8. 7 1o0e4) iy Am cb ijecl-orilenred interpreccad 
scripting language 
buby)3Sodp Osc. 5, ly hubby iatertace to sleepycat's 


Berkeley DB revision 2 or lat 


Listing 12. Using portversion to check for updates 


freebsd7# portversion -v 

[Rebuilding the pkgdb <format:bdb btree> in /var/db/pkg 
= } Packages hound “(a0 7) os. oe done] 

[Updating the portsdb <format:bdb btree> in /usr/ports 


= 20616 POrr ene riles Own cea = NOOO co earn 200 
Oa rae ane SOO artes cee BOO ae oy ares here OCW ee teen 6000 
WRC pokes WAIN. cee sca eneee ges WOO ee pa ae SOO wus tran cell) 
eee ee i OOO eae ere OOO) 
Reon gornes MSOs freee eee AO) ee ene OO OO race tore cee OO) 
PORT en ea ee OOO piste noes OOO) 
emetcct i eee NTO 10 Cee erre werent (00100) rer deer ern aary rem rye S10) 01 =| 


Ca rOooe NSSa sibs. 7 = UD-CO-dace With Port 
(toil heen eS) Aa = 
(eens aioe ls) 


db41-4.1.25 4 = 


needs updating (port has 


Up-to-date with port 
pevraudie-0. 2.12 < 
Oe orals3 | 


needs updating (port has 
DOTLUpgr ade 2.40. 3,2 = up-to-date with port 
ruby=i. 8 i. bo0 24), I = up-to-date with port 


ruby se = ldb 026. ui = up-to-date with port 
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Listing 13. Using pkg_version to check for updates 


Precbsdi7 Pig vers2L0on =v 
Ga rOObEsnss =) so = lpr LeOsdete WEEN pore 
Cun a7 LOA 


db41-4.1.25 4 = 


— Needs Updating (port has i219. 671) 
up-to-date with port 
Der ravdiEaO*. 2.12 EG 


needs updating (port Nas 025:15) 


POLtupgtade—2.4.6.3,2 ~— Up -Losdale With pore 
tuby-l28. 7.160 4, = up-to-date with port 
tuby le sodb—0 6.5. 1 = up-to-date with port 

Listing 14. Updating old packages with new packages using portupgrade 
greebsd?# setenv HITP PROXY http://172.16.2, 133128 
freebsd/# setenv PACKAGESITE ftp://ftp.freebsd.org//pub/ 
FreeBSD/ports/i386/packages-7-stable/Latest/ 

freebsd7# portupgrade -vaPP 

Session started at: 25 Aug 2009 09:26759- —0400 


aa cue; 


---> Checking for the latest package of "ftp/curl' 
** No such file or directory — /wsr/ports/packages/All 
===> Fetching the package(s) for “curl-7.19.6 1" 9 (ttp/ curl) 
cai aes ele ttle pee lia, lrewareil cheer alk 
++ Will try the following sites in the order named: 
ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/ 
=——>  lovoking 4 Commands / wer/ bin, feten —o )/vat/ 
eejorn ey, 


ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/ 


timp/ portupgradeRvou4wil/curl—7.19.6 1.tbz" 


UII Getprice. 

/ ver / tmp) porkupgradeRvoOuj4wily curl—7.19,6 l.tbzle0; or Lips 

kB 2824 kBps 

=e = Pownleaded as curio) 719260 tz 

---> Identifying the package /var/tmp/ 

PortupgradeRvouj4wil/curil—-7.19.%6 i tbz 

=-=> ~oaved aa: /let) porte packages/ AVl/curl— 7.19.0 1.tb2 

---> Listing the results (+:done / -:ignored / *:skipped / !:failed) 
Tate le Mice Ieee alk 

---> Packages processed: 1 done, 0 ignored, 0 skipped and 0 failed 

---> 


Found a package of ‘'ttp/curl' »/usr,/ ports, packages/ 


iA Bosch lle yl Chavcmmllecisto sal (eieuclieyi7 ilecia cy ail) 


==-> hoeated a package version 7.19.6 1° (/usr/portcs/ 
Packages, AllilL/curl—7], 1oo7 7 tb) 


---> Upgrade of ftp/curl started at: Tue, 25 Aug 2009 09:29:18 -0400 


=== WeChading: cum 7 Med to Veneto ee Gn) 
curl) using a package 

---> Updating dependency info 

~——  HUminetaliliataonm oF scourl=),1o 4 starcedsaks luc, 25 


Rag 2009 092297 0s 0400 


---> Fixing up dependencies before creating a package 
==—->- Backing up the old version 

-a=> Uninstalling the wold sversion 

=e> > Deinsralilineg: “curi= 7.1.9.4! 

---> Preserving /usr/local/lib/libcurl.so.5 as /usr/ 


ieee Iie Comecit/ pkg; Ialbeur ls so. 5 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg 
Capel ISNe SO) enn teenaee 


- 6 packages found done] 


===> - Unimetallation of curl-—7/ 19.4 ended “at; Tue, 25 Aug 


2009 09:29:34 —0400) (consumed 0000215) 


==—> “installation -o1 curl) .19.6 1 starved als ius, 25 
Aug 2009 09:29:34 —0400 

---> Installing the new version via the package 

---> Removing temporary files and directories 

---> Removing old package' 

a=) (ietallarion- Or wcupl— ti. leended ati lus, 25 Aug 
2009" 09:29:38 —0400 (consumed 00:00:04) 


---> Cleaning out obsolete shared libraries 


[Updating the pkgdb <format:bdb btree> in /var/db/pkg 
Capac.) 


= 7 packages found done ] 


=-—->) Upgrade of ftp/cuil ended at: Tue, 25 Aug 2009 09: 
29:49 -0400 (consumed 00:00:30) 

==—=> “~*~ Upgrade tasks 2: 1 done, 0 aqnored, 0 “skipped and 
O failed 

---> Checking for the latest package of 'ports-mgmt/ 
POrLaudice ' 

==—-> Mereting the package (Ss) £or 'porvaudit—-0. 5.13" 


(ports-mgmt/portaudit) 
==—-> § Perciind Oortavudi e-0.5. 13 
++ Will try the following sites in the order named: 


ftp: //ftp.freebsd.org/pub/FreeBSD/ports/i386/packages- 


7-stable/ 
=---> Invoking 42 command: /usr/bin/ fetch —-o "/var/tmp/ 
portupgradeY3svilos4H/pertaudme—U 5.13 tz "fips, / 


ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/ 
Ally potrtavdit—-O25. [3 co2 
/@ar/ tmO/ portupgradeYevilosdh/portaudilt—0.5.13.2100. of 10 
kB 1842 kBps 
==——> - Downloaded @S portaudit-0.5,13.tbz 
---> Identifying the package /var/tmp/portupgradeY8v1o054H/ 
DOrrandiE=Us S213 orig 
---> Saved as /usr/ports/packages/All/portaudit- 
Os ule Maclay] 
---> listing the results (+:done / -:ignored / *:skipped / !: 
failed) 

 POrrauGdie=Uro.is 
---> Packages processed: 1 done, O ignored, O skipped and 
O failed 
=--> Found a package of "ports-=momt/portaudit': /usr/ports/ 
packages /All/portaudit—-0.5.13.tbz (portaudit-0).5.13) 


===> thocated a package version 0.5.13 (/usr/ports/ 


packages/Alil/portaudit—0.5.113.tbz) 


---> Upgrade of ports-mgmt/portaudit started at: Tue, 25 
Aug 2009 09329759 70400 

===. UPGpadind  pObrEatdLE=U2 5.17 ko “poOrcaraiia’) 7521 5) 
(ports-mgmt/portaudit) using a package 

---> Updating dependency info 

===> Uninstallation Ob pOrtaudir-U.9.12 Started ati Tue, 


Zo Aud 20039" 09230; 00) =0400 


---> Fixing up dependencies before creating a package 


www.bsdmag.org 


29 


‘@ how-to’s 


Listing 14. Updating old packages with new packages using portupgrade (cont) 


=——> Backing wo “che Old version 
=--— #Unanstca ll lung che Old version 
aoe Wetnsicea ling perce ad ic Oe.oe lee 


The portaudit package has been deleted. 

Lk you"re *not™~ wupdrading and won't be using 
it any longer, you may want to remove the portaudit database: 
rm -Rt ~“/Vvar/ db; portaudit 


[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= 6 packages found (-1 +0) (.«..) done] 

=-=—- JUD nSstallation- Of PpOrtanucdic—-0. 5.12 ended aks lie, 125 
Aug 2009 09:30:20 —U400 (consumed 00:00:20) 

=== “Installation Of POLraudic- US. lS started ak: Tue, 25 
Aug 2009 09: 30.20 -0400 

---> Installing the new version via the package 

---> Removing temporary files and directories 

===> |Removang Old package’ 

=-—- s Inseakiarlony Gr (pPOrraucie-U aos ended ats lie, 25 


Aug 2009 09:°30:22 —0400 (consumed 00:00:01) 


---> Cleaning out obsolete shared libraries 


[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= |] packages found (-0 +1) done | 


---> Upgrade of ports-mgmt/portaudit ended at: Tue, 25 


Aug 2009 09:°30;31 —0400, (consumed 00; 00:32) 
---> ** Upgrade tasks 2: 2 done, 0 ignored, 0 skipped and 0 failed 
---> Listing the results (+:done / -:ignored / *:skipped / !:failed) 
+ ftp, curl enrke 7 p19 24) 
+ pOris—-mgqmt/portaudit (portaudLeq=0 .5 2) 
---> Packages processed: 2 done, 0 ignored, 0 skipped and 0 failed 


==—=> Session ended at: Tue, 25 Aug 2009 09:30:40 -0400 


(consumed 00:01:40) 


Listing 15. Portversion shows packages as up-to-date 


freebsd7# portversion -v 


Cay COOt Missa ood =. Up=to-date WLEN Dore 
CULTS Toe L = up-to-date with port 
db41-4.1.25 4 = up-to-date with port 
POrrauaii= Os S13 = up-to-date with port 
POTEUpGg rads —2.4.26 S72 = up-to-date with port 
Duby ae Pou ed, i = up-to-date with port 
ruby bee bpds—0 625 1 = up-to-date with port 


Listing 16. Installing pkg_tree 
PLeebsd] 7 Gl eada —2 pho tree 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/Latest/pkg tree.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages—/—-stable/All/perl—5.¢.9 3.tbz..... Mone. 
Removing stale symlinks from /usr/bin... 
Skipping /usr/bin/perl 
Skipeing /ust/bin/perl5 
Done. 


CLeacing Valious <Vilanke ine / Wen, bam... 


Sviniimkiing */ wer / Ocal tout /perila.c, 9 EO 7 usr/bin cer ll 
Symlinking /lsr/ local /bin/perl>s.8.9 to /ustr/bin/ perils 

Bene: 
Cleaning up /etc/make.conf... Done. 
Spamming /etc/make.conf... Done. 
Cleaning up /etc/manpath.config... Done. 
Spamming /etc/manpath.config... Done. 
Listing 17. Running pkg_tree 
Ereepsdi] (gee sec 
CaSloOcn es. o. ages 
Curis (49.0. 1 

Nee, Cotooe ess lo 
db41-4.1.25 4 
perl ooo 30. 3 
pke trees al 

Ne pperia=a 829.2 
Porealdit—U, 5.12 
POLUUDGrade—7 24.6. 3,2 

[Ve ruby ias Floor ar 

|\. db41-4.1.25 4 

Ne cuiovile ode 06.501 
hubyolss. lou 4) 
ruby le=pdb—0.6.5 1 

| SeSeLtby el eoie leo yal 


\ db41-4.1.25 4 


Listing 18. Installing mutt and updating pkg_db 


Ereepsd/7 Peo aga =F mcr 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/Latest/mutt.tbz... Done. 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages—/—-sStable/All/urlvicw—-0.9 2.cbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/ispel1-3.3.02 4.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/mime-support-—-3.46.1.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-—7-stable/All/png-1.2.38.tbz... Done. 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/pcre-7.9.tbz... Done. 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-—/-stable/All/libiconvy-1.13.1.tbez... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/Mbslang2—-2.1..4 1. tbz...) Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/gettext-0.17 1.tbz... Done. 
freebsd7# pkgdb -vu 

===> Updating the pkgdb 

[Updating the pkgdb <format:bdb btree> in /var/db/pkg 
(=0 +9) 


- 18 packages found done] 
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Listing 19. Failing to remove pcre because of dependencies 


freebsd7# pkg deinstall pcre-7.9/ 

===> Deinstalling "pere—7 .o* 

pkg tdelete: package ~pere—-( 9 ts wequiwed oy these then packages 

and may not be deinstalled: 

libstang2-2. 1.41 

MGELa Zs 

x* Tisting the failed packages (-:ignored / *:skipped / !:failed) 
 pere=7..9 (Okg detere failed) 


Listing 20. Removing mutt and its dependencies using pkg_deinstall 


freebsd7# pkg deinstall -R mutt-1.4.2.3 3/ 

=e? S Deimstaiining Mure kaa oor 

Saas Wein Stalling rl owe eZ | 

[Updating the pkgdb: <formattbdbo: biree> 1m’ /var/db/pkg ...°= 17 packages found (—1) +0)> 1...) dome] 
aaa Deine ceiling dios amg 27 ld 

[Updating “the pkgdb <formattbdb: bDiree> in /var/db/pkg 4... '— 16 packages. found (—1.+0) 2...) done] 
=>. Dems tealiling -perme=/ oO! 

[Updating the pkgdb <formattbdo: Diree> an /var/db/pkg 2... — 15 packages found (—1) +0), (2...) done] 
=== Peinustalling “nime—suppork—3 46.1! 

[Updating “the ~pkgdb <rormatcbdb Diree> in, /var/db/pko ...)- 14 packages, found (—1 +0)" (...) dome] 
>> -) Dennistealiing | png= le 22.3 ! 

[Updating the pkgdb <formattbdo bireé> am. /var/db/pkg 2..°— 13 packages found (—1) +0)). (2...) dome] 
San Weimet alli, | geuvene so .ihy ak! 

[Wpdating “the pkgdb <formatcbdo: Diree>- an /var/dbo/ pkg 4... 1— 12 packages. found (—1.40) 21...) dome] 
o> Pennsealiling siibiconw—l wile! 

[Updating the pkgdb <frormattbdo: Divee> am /var/db/pkg 2.. — ll packages found (—1)' +0), (2.2) done] 
eae Weim e cad ine aspelikes = sez 4 


[Updating the pkgdb <formatcbdb Diree> an /var/db/pkg ...7)-— 10 packages, found (=1 +0)" (2...) dome] 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg = O packages found i(—l +0)9 (222) dome] 

Listing 21. Installning nmap and tcpflow 

LLeeisai7 pro. ada =. amap 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/Latest/nmap.tbz... Done. 

Fetching Etp:// ftp. freebsd.org/ /pulb/ FreeBSD ports/ 1380/packages—/—-stable/All/pkg—contig-0.23 1. tboz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/All/lua-5.1.4.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/All/pcre-7.9.tbz... Done. 
PLecbsdi7 pko aca =F ecpiiow 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/Latest/tcpflow.tbz... Done. 
freebsd7# pkgdb -vu 

--—-. Updating the ~kaqdb 

[Updating the pkgdb <formattbdb Diree> am -/var/db/pkg 2... — 14 packages: found (—0- 45) j.28 done | 

Listing 22. Installing pkg_cutleaves 

PLeebsd]; Pro aca =— Prog vcul eaves 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/Latest/pkg cutleaves.tbz... Done. 
freebsd7# pkgdb -vu 

--=—-. Updating the ~kadb 

[Updating the pkgdb <formattbdo: Diree> 1m /var/db/pkg 2... — 15 packages: found (—U) 41). done] 


freebsd7# rehash 
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learn what packages a specified package 
depends on. 


freebsali. pkg into -t£x curl 


INZOEMSELON. Tor curl=7.19.6- 1% 
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Depends on: 


Dependency? ca Toot nee-32.11.9 2 


Here we see that curl depends on the ca_ 
root_nss package. The -r command tells 


Listing 23. Using pkg_cutleaves to remove nmap and tcpflow and dependencies 


pkg_info to display the packages on which 
curl depends. The -x switch tellS pkg info 
to do a regular expression match, so we 
don't have to list the whole package name. 
Does anything depend on curl? 


Cveebed/7 ono wee eaves 

Package i Of 7: 

Cubl—i/sl926 De Non-Interactive tool to get files £rom 
FTP, GOPHER, HTTP(S) servers 

curl-7.19.6 1 - [keep]/(d)elete/(f)lush marked pkgs/ 
(a) Orr 2 


Oa heepiind (eli ce ike 


Package 2 or 73 


nmap=-5.00° = Port scanning utility For large metworks 
nmap-5.00 - [keep] /(d)elete/(f) lush marked pkgs/ (a) bort? 
d 


A* Marking mmap—-5.00 for removal. 


Package 3 of 7: 

Peo curbeaves 20090810 > Ineeractive scrips for 
deinstalling 'leaf' packages 

pkg cutleaves-20090810 - [keep] /(d)elete/ (f) lush marked 
pkags/ (4) bort? 

wy SRSep hag ro scut leaves 70070310" 


Package 4 of 7: 


Pkoctceesi ie iy — Geta, Grapiieal” “Ekee[Cver 7 uew OF 
installed packages 

pkg tree-1.1 1 - [keep]/(d)elete/(f)lush marked pkgs/ 
(a) DOr? 


pe Mecien igs Fol ac asia 2 oe he geile 


Package & of 7: 

pOrtauditi-0.5.13 = Checks installed ports against a list 
of security vulnerabilities 

portaudit-0.5.13 - [keep]/(d)elete/(f) lush marked pkgs/ 
Gel) Neon aie 


we ReSpIng pOreaue@lir 0.5.3, 


Package 6 of 7: 

portupgrade-2.4.6 3,2 - FreeBSD ports/packages 
administration and management tool suite 
portupgrade-2.4.6 3,2 - [keep]/(d)elete/(f) lush marked 
pkas/ (a) bork? 

a ReeDing , POLtUpGtade—7 4.6 2,7 - 


Package 7 Om 7/3 
Cconlow=0. Zi =] 2 tools fer <apruring data transmitted as 
Dare or Ter connections 


tcepflow-0.21 1 - [keep]/(d)elete/(f)lush marked pkgs/ 


(A) Iooiee? Cl 


“Mating tepilow-O. 2 fon removals. 


Deleting nmap-5.00 (package 1 of 2). 
Deleting. tepilow-UE Ze lA package 2 20m eZ) 


Go on with new leaf packages ([yes]/no)? y 


Package 1 of 2: 

lua-5.1.4 = Small, compilable scripting Llanquage 
providing easy access to C code 

lua-5.1.4 - [keep]/(d)elete/(f) lush marked pkgs/ (a) bort? 
d 


** Marking lua-S.1l.4° fer removal. 


Package 2 Of 2: 


pcere-7.9 - Perl Compatible Regular Expressions library 
pere-7.9 - [keep]/(d)elete/ (f£) lush marked pkgs/(a)bort? 
d 


~*~ Marking pere-/.9 £6r removal. 


Deleting lua-5.1.4 (package 1 of 2). 
Deleting pcre-7.9 (package 2 of 2). 


Go on with new leaf packages ([yes]/no)? y 


Package 1 of 1; 

DkG=counG=)s23 7 A eit y Oo Tetrieve Viiirorhac lon 
about installed libraries 

pkg-config-0.23 1 - [keep]/(d)elete/(f)lush marked pkgs/ 
(ea senate xe! 


wo tating eo -conig 0.23 IESE removal. 


Deleting pkg=conio=0. 235 il (package (iver 1): 

** Didn't find any new leaves to work with, exiting. 
*x Deinstalled packages: 

iia A 

Hhmap=5 200 

pere-7/ 29 

Dko=conmng U2 3.11 

ECpilow=O0 42 I ail 


*x Number of deinstalled packages: 5 


freebsd7# pkgdb -vu 
===> \Updating the pkgdb 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= 10 packages found (=5 +0) (“(2..) done] 
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Listing 24. Updating the ports tree with portsnap 


freebsd7# portsnap fetch 
Looking Up POresnap.FreebsD Org Mirrors... 3 Mirrors Lound. 
Fetching snapshot tag from portsnap2.FreeBSD.org... done. 


Fetching snapshot metadata... done. 


Fetching 4 metadata patches... done. 

Applying metadata patches... done. 

Fetching 0 metadata files... done. 

FeeCchang 32 ~paicches. .a.% te cunne Oars no Ur se mnles 
Applying patches... done. 

Fetching 2 new ports or files... done. 


freebsd7# portsnap update 

Removing old files and directories... done. 
Extracting new files: 

(ist /poOrts/ audio/gikpoed/ 
/usr/ports/databases/pgadmin3/ 
/usr/ports/devel/cvsnt/ 
/usr/ports/devel/git/ 
/usr/ports/devel/jude-community/ 
/usr/ports/devel/p5-local-lib/ 
/usr/ports/games/wesnoth/ 
/usr/ports/graphics/Makefile 
/usr/ports/graphics/mmrecover/ 
/ust/ports/graphics/rubygem-scruffy/ 
/usr/ports/mail/metal/ 
/ust/ports/net-mgmt/nagios-plugins/ 
Just /POrEs/ mec) nes. ldapd/ 
/usr/ports/ports-mgmt/portmaster/ 
/usr/ports/security/fiked/ 
/usr/ports/security/swatch/ 
jusr/pOrts/security /waxmil/ 
(ust/ports/sysutils/e2isprogs/ 
/ust/ ports) sysutiis /Lipenk/ 

(ust) ports/sysutiils/ vista lima) 
/ust/ports/textproc/ ansitilter/ 
{ust/ports/ textproc/ yodl/ 
/usr/ports/www/Makefile 
/usr/ports/www/apache22/ 
/usr/ports/www/elinks/ 
/usr/ports/www/galeon/ 
/usr/ports/www/gist/ 
/usr/ports/www/p5-Catalyst-View-JSON/ 
/usr/ports/www/p5-HTTP-Engine/ 
/usr/ports/www/pyweblib/ 

Jus) ports, <iil-oleeks, <dalicileck,/ 
fase port s/ xli/adm, 
/usr/ports/x11/gnome2-fifth-toe/ 
(as) pork s/ <iib/ song / 


Building new INDEX files... done. 


g 
g 
Usdecang 220m Mon Aug )24 Ws152:56 EDP 2009 co Tue Aug 25) 07232323 EDT 2009. 
g 
g 
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freebsd/; pkg into -Rx curl 


Information. for clrl=-/.19.6 13 


The -r switch shows that nothing depends on 
curl. If we ran this command for ca_root_nss, 
however, we would see that curl requires it. 


freebsd/7 pkg info -—Re ca root ness 
InPOERMation Lor Ca root. mss-3. 11.9 2: 
Required by: 

Ciel 7 is Ol. 


Another way to understand’ these 
relationships is to install the pkg tree 
package. From now on, when adding new 
packages, it helps to update the package 
database maintained by Portupgrade, 
using the pkgdb Command. 


freebsd7# pkgdb -vu 

---> Updating the pkgdb 

[Updating the pkgdb <format:bdb btree> 
in /var/db/pkg ... - 9 packages found 
(-0 +2) .. done] 


If you forget to run pkgdb after installing 
a package, it’s not a big problem. Any time 
a tool in the Portupgrade suite is invoked 
(such as portupgrade itself, or other tools), 
the pkgdb will be updated. During the 
pkg_tree installation process we saw Perl 
installed as a dependency of pkg tree. 
Once installed, run pkg tree and tell it to 
show what packages curl depends on. 


freebsd/#? pkg tree curl 
Clik e192 6 


\. Ba Poot. nes=3:.1149-2 


Portupgrade presents a more complicated 
example. 


freebsd7# pkg tree portupgrade 
poOrtupgrade-2.4.6. 3,2 
[\__ #uby-1.8.7.160. 4,1 
|\. db41-4.1.25 4 
\... Bubyl6-bdb-0.6.5 1 


We can go one step farther to follow the 
dependency chain using the -v switch. 


freebsd7# pkg tree -v portupgrade 
POrtupgrade=-2 4.0 372 

|\_. #uby=-1.8.7.160-4, 1 

|\. db41-4.1.25 4 


\_. Bubyle—bdb-0.6.5. 1 
|X. ftby-1.8.7.160_4,1 
\ db41-4.1.25 4 


Now we see that Portupgrade depends 
on ruby, db41, and ruby18-bdb. However, 
ruby18-bdb depends on ruby and db41 
as well. Running pkg _ tree with no options 
shows all package dependencies (see 
Listing 17). Understanding dependencies is 
important, because FreeBSD won't let you 
delete a package when another package 
depends on it. We'll look at that next. 


Removing Packages 

For the following examples we add 
the open source text email client Mutt 
to our system. When you check Mutts 
dependencies, you find several: 


freebsd7# pkg tree mutt 

mutt-1.4.2.3 3 

|\.. urlview-0.9 2 

|\.. ispel1-3.3.02 4 
|\.. mime-support-3.46.1 
|\_. Prg=-l.<2e3s 

|\.. pere-7.9 

[\... dabiconv=1.,13.1 
ee 
\_ gettext-0.17_1 


libs lang2-2.1.4 1 


If you try to delete, say, the pcre package, 
the attempt will fail. 


freebsd7# pkg delete pcre-7.9/ 
pko delete: package *“pers-/.9" 31s 
required by these other packages 
and may not be deinstalled: 

Ji bsleng2-211.4 1 


mutt-1.4.2.3 3 


If you try using the pkg deinstall tool 
shipped with Portupgrade, it will also fail 
(see Listing 19). This is a strength of using 
the packages system, not a weakness. We 
dont want to break the system by removing 
a package on which others depend. What if 
we decided to remove Mutt? We could check 
what depends on it using pkg_info again. 


freebsd/# pkg into -Rz mutt 


Information. for murt=1.4.2.3 3% 


Nothing depends on Mutt. So, if we wanted to, 
we could simply delete it using pkg_deinstall 
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Listing 25. Updating the portsdb used by portupgrade 


freebsd7# portsdb -u 


[Updating the portsdb <format:bdb btree> in /usr/ports Se -EZ0Gs pert 
Sniries found aeann: sIOLONO ee eee ZOWURRS ant SOU aaa AE OOIO paaereainucen aes 5000 
OOO a panna. OOO ee atc taans SOLOW ase ee eerare o] OC ONe ar rarer sree dO OOO ecuereveccnes 11000 
ile] O10) 0) sero re AIC TONG) OR eager LOCO, Seeyae, thee SOOO ten ee sD LOMO) rere cop eras 17000 
ils O10) 0) epee are LOO Osea es caeteet ZO OI ae ea done] 


Listing 26. Removing curl using pkg_deinstall 
ELecbsai7 pho Oeiist a! io-F eied 
Sa we Ded Sian! UniaiGpe eumiel hoe Gis? 
soo (Deinstalieing. ca OCm Meson li Ir 77 

[Updating the pkgdb <format:bdb btree> in /var/db/pkg ... 
(= SO) weiss) done] 

[Updating the pkgdb <format:bdb btree> in /var/db/pko ... 
(—1 0) Cee) done] 

Listing 27. Finding the screen port in /usr/ports 
freebsd7# cd /usr/ports 


freebsd7# make search name=screen 


in ep CAOLECGO. 2% 

Ports Scbeena e036 

Path: /usr/ports/sysutils/screen 

iBahate A multi-screen window manager 

Medan: cy@FreeBSD.org 

B-deps: 

R-deps: gericext-C. 17 i Mibiconv leis... cexinrols il 
WWW : http://www.gnu.org/software/screen/ 

ie pC LUMCatedic.: 


Listing 28. The screen port is located 
reebsd7# cd /usr/ports/sysutils/screen 
freebsd7# 1s -al 


EOtwale 52 

Gey xa 3 root wheel Hl2 Aug 24 16:46. 
drwxr-xr-=<. Sly root “wheel. 179Z0-Aug 25 0737 

Seite 1 root wheel 2366 Feb 23 2009 Makefile 
Se 1 root wheel 19S Ocu 26 2V0Gedistinte 
(ORG P Gata alee < 2 root wheel 512 Aug 24 16:46 files 
Soe ce 1 root wheel 554 Dec 27 2002 pka-descer 
Sag Ogee tinN Oti 1 root wheel 853 Aug 30°" 2004 pkg-plist 


Listing 29. Running make showconfig for screen 
freebsd7# make showconfig 


===> The following configuration options are available for 


- 9 packages found 


- 8 packages found 


Sereenas 205 5 70: 


CULIL wack” 


CJUK=OFF (default) "Treat CJK ambiguous characters as 
INFO=ON (default) "Build and install info documentation" 
MAN=ON (default) "Build and install man pages" 


NETHACK=ON (default) "Enable nethack-style messages" 


TERM 25 6-OPP (detawiiy) 
HOS UENTOChED-—OFE (dete is) 
SHOWENC-OFF (Gerault ) 


===> Use 'make config' to modify these settings 


"Enable support fOr 256 colour xterm” 
"Print user@host in locked message" 


"Show encoding on the status line" 
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OF pkg delete. However, when we installed 
Mutt, it brought 8 dependencies along with it. 
Wouldnt it be good to remove those as well? 
We can use the pkg deinstall Command 
with the -r switch for that purpose (see Listing 
20). We've now completely removed Mutt and 
the packages on which Mutt depended. 


Identifying and Removing 
Unwanted Packages 

For the purposes of the next example, 
| install Nmap and _ MTcpflow (see 
Listing 21). Lets imagine that a while 
passes, and later we'd like to perform some 
housecleaning on our installed packages. 


Listing 30. Results of running make showconfig for screen port 


freebsd7# ls /var/db/ports 


SiCic SS 


freebsd7# ls /var/db/ports/screen/ 


Options 


freebsd7# cat /var/db/ports/screen/options 
# This file is auto-generated by 'make config’. 
# No user-servicable parts inside! 

# Options for scréen-4.0.3 6 
DOETIONS BEAD —Screen-4 0,5 © 

WITHOUT CJK=true 

WITH INPO=true 

WITH MAN=tirie 

WITH NETHACK=t rue 

WilhOUd. hake o— True 

WITHOUT HOSTINLOCKED= true 


WITHOUT SHOWENC=true 


Listing 31. Running make for the screen port 


freebsd7# make 
———  POUNGd saved. Conmgural ton 2Or- screen —4 2025.6 

=> screen-4.0.3.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 

=> Attempting to fetch from ftp://ftp.uni-erlangen.de/pub/utilities/screen/. 
screen-4.023.tar.gz IO. on 320 kB S62 kBps 
== PRU Laer img foe sereen— 1-5 16 

=> MDS Checksum OK for screen-4.0.3.tar.gz: 

=> SHA256 Checksum OK for screen-4.0.3.tar.gz. 

=== bocce £er screen—4 05 

= ee lly ie) BeeeboD Varcie== fOr. scleeu—4 025.6 

——-= = COlunouring Lor sereen—4-) 25116 

this is screen version 4.0.3 

checking BOe GCG...) GC 

ehecking £er © compiler detault output... 4a.our 
checking whether the C compiler works... yes 
Breer = (0 Vite =1e Neuen 
CC HC rein ers =02 =ENO-Striect-aliasing =pipe =ncoding.« 

ec. =o SsCreen Screen.o ansi.0o0 Tle1lo.o Mark.O MiSC.0 resize.o Socket.o 
Search.o ELiy.o Lerm.o window.o utmp.o loaday.©o putenvy.o help.o . termcap.o 
INDE SO attacher.@ pry.0 Process .o display.o conm.c ~kmapdei.o acls.0 
Praise -ooraniie eS ie, logon leyer.0 


~-Leeumeao: =hitidhe=lutik =louyor 


sched.o teln.o nethack.o encoding.o 
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| periodically install packages for a single 
task, and then leave them behind. To 
perform housecleaning, | prefer using the 
pkg _cutleaves tool (see Listing 22). 

Next | invoke pkg _cutleaves. rm 
looking for packages I'd like to remove. 
Nmap and Tcpflow catch my eye. When 
| want to keep a package, | hit [return] to 
keep it. When | want to delete a package, 
| hit d. When asked if | want to go on with 
new leaf packages, | enter y and continue 
the process (see Listing 23). 

As we can see, the result of this process 
was removing Nmap, Tcpflow, and all of 
their dependencies. If we knew from the 
outset what we wanted to delete, we could 
have run pkg deinstall as shown earlier 
Here | like to use the browsing nature of 
pkg_cutleaves to identify packages which 
| don't necessarily realize | want to delete 
from the beginning. 


Preparing to Build and Install 
Packages Using the Ports Tree 
Throughout this article we have installed 
packages installed by the FreeBSD 
project. However, because we have the 
ports tree installed on our system, we can 
build and install our own packages. 

Earlier we updated our ports tree using 
Portsnap. Here we will update it again (see 
listing 24). 

After portsnap 
and portsnap update, we update the 
INDEX-7db used by Portupgrade (see 
Listing 25). To keep itclear, Portsnap updates 
/usr/ports/INDEX-7 and portsdb updates 
/usir/ports/ INDEX-7 db. 

For the following examples we will 
deinstall Curl and its dependencies, and 
then reinstall them later (see Listing 26). 

For this example we will install the 
Screen application using the ports tree. 

We'll start by using the port as an 
example of how to install a package. First 
we have to locate the port. We can use the 
make search name= COMman4d in the /usr/ 
ports directory (see Listing 27). 

Here we see that sysutils/screen is the 
port we want (see Listing 28). 

These are the files we will need to build 
a package using this port. To determine 
if there are any dependencies required to 
build a package from this port, we can use 
the following command. 


running fetch 


freebsd7# make pretty-print-build- 
depends-list 


There are no dependencies to build 
the package. We can also see if any 
packages are required to run the package 
once installed. 


freebsd7# make pretty-print-run- 
depends-list 


There are no dependencies to run the 
package. The next command | like to run 
when encountering a new port iS make 
showconfig. This command will show the 
options that will be set by default when 
building the package from the ports tree. 
The default settings are used to build the 
package provided by the FreeBSD project 
(see Listing 29). 

We can run make config to change or just 
view these settings. This starts a Curses 
window. We leave the configuration as-is 
but hit OK to exit. Running make config has 
created the following entries in the /var/ 
db/ports directory (see Listing 31). 

The ports tree will use these options 
when building the package. 


Building and Installing Packages 
Using the Ports Tree: A Simple 
Example 
At this point we are ready to proceed. In 
the /usr/ports/sysutils/screen directory, 
run make (see Listing 31). 

To install we run ’make install (see 
Listing 32). Screen is now installed. 


Building and Installing Packages 
Using the Ports Tree: A More 
Complicated Example 

For a more complicated example, let’s install 
Curl using the ports tree. To install Curl via 
the ports tree, we need to know where it 
lives. We might remember it from the fto/curl 
directory at the beginning of the article, but 
if we arent Sure we can again use the make 
search name= Command in the /usr/ports 
directory (see Listing 33). 

The first option is what we want, but 
many other programs with curi in their 
name are listed. In addition to running make 
search name= We Could alSO USE make search 
key= to specify a keyword for searching. We 
See £tp/cur1 has what we want, we change 


there. Again we run make showconfig tO See 
available options (see Listing 34). If we run 
make config, we'll see a Curses interface 
like the following. Here | have enabled the 
LIBSSH2 option, which was off by default. 
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After selecting OK, | run make showconfig again 
and notice the change (see Listing 35). 

Next | like to see packages that are 
required to build this package. 


The ability to modify a package to meet freebsd7# make pretty-print-build- 


local requirements, but then manage that depends-list 
package using standard tools, is one of the 
great strengths of the FreeBSD ports tree. 5.8.9 3" to build. 


Listing 32. Running make install for the screen port 


freebsd7# make install 

ee bor nO Eon cereal 430-586 

===> Generaring  eemporavy packing hist 

===> Checking if sysutils/screen already installed 
eeeCOLed As 

—— Registering Installarvon Lar screen—4 0.5.6 


=———- DOU Tyre eOr ll. 


This port has installed the following binaries which execute with 


increased privileges. 


Jusr/ local /bin/ screen 


If there are vulnerabilities in these programs there may be a security 


risk to the system. FreeBSD makes no guarantee about the security of 


ports included in the Ports Collection. Please type 


rordeinstall the port 2 chilis “sa concern. 


For more information, and contact details about the security 


status of this software, see the following webpage: 
http://www.gnu.org/software/screen/ 
freebsd7# pkgdb -vu 
-~=——- Updating the pkaqdb 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg ... 
(=0 +1) =. <done | 
freebsd7# rehash 
freebsd7# which screen 


usr local /bin/ screen 


Listing 33. Finding the curl port 
freebsd7# cd /usr/ports 


freebsd7# make search name=curl 


Port: Cuba ol Io. 4 

Path: (ust / ports, fip/ curil 

Iinuiere re Non-interactive tool to get files from FTP, GOPHER, HTTP(S) 
Maint: roam@FreeBSD.org 


B-deps: Perl 2282255 


Rodeos: Ga HOOE Woes 5.1.7 eZ 

WWW : Nitto: //ecurl hax .se/ 

POD: eur ipe 0. 7,001 

Path: (ast / port s/ ftp) curlpp 

iano A C++ wrapper for libcurl 

Maine roam@FreeBSD.org 

B-déeps: Canroct ies sell te eure koo cl 
Rodeps: Ce TLOCE ENS e oaks 2 curiae loo il 
WWW : 

ie pELUMCatedaas 


VMeles oleslmeicel il" 


= 9 packages found 


This port requires package(s) "perl- 


SSiew Ses 
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We already have Perl installed, so we don't 
have to worry about it. If Perl were not 
installed, we might consider installing the 
Perl package ourselves. If we did not install 
the Perl package, using the ports tree would 
result in building Perl and its dependencies 
(if any) from the ports tree as well. Now 
| see what packages are required to run 
this package, once installed. 


freebsd7# make pretty-print-run- 
depends-list 
Inis POrt Pequires package(s) “ca root _ 


Nes-3 1. 2 ©O rune 


That makes sense. We already saw that 
when Curl was installed, the ca root _nss 
package was listed as a dependency. 

However, in the next section we will find 
that this output is not complete due to the 
customization for 1ibssh2 that we introduced. 

To simply install Curl, we could use make 
again. However, we saw that ca_root_nss- 
3.11.9 2 iS a runtime dependency. We can 
install the package manually first before 
installing Curl via the ports tree (see Listing 36). 
Now, when we install Curl via the ports tree, 
we dont have to worry about the dependency 
being installed through the ports tree (see 
Listing 37). Now we run make install (see 
Listing 38). During installation, 1ibssn2 was 
found to be a dependency, based on the 
customization we made. We can see the 
dependency using pkg tree. 


freebsd/# pkg tree curl 
curl-7.19.6._ 1 
le... Libsshz=1.272 


\_., @a OG nes-3.11.9. 2 


If we want to create a package for Curl, 
we can use the make package Command 
(see Listing 39). If we want to make the 
package and its dependencies, we use 
make package-recursive’ (see Listing AO). 
Note that using the make package-recursive 
command means you don't have to run make 
install. With FreeBSD, there is not a way to 
make a package but avoid installation. 


freebsd7# ls /usr/ports/packages/All 
Ga Poot mes-s.11.9 2.the perl-o.8.9 32tb2 
Curl=7.19.6-12.tbe 
Coes pe in wl 82 


libssh?-1s2,2.tbzZ 


portaudit— 
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Install Packages Built on One 
System to Another System 

Once packages are built using the ports 
tree, you can install them on_ similar 
systems elsewhere. For example, we 
can copy packages from freebsd/ to 


Listing 34. Running make showconfig for the curl port 


freebsd/7/# make showconfig 


another system and install them locally. In 
the following example we begin on host 
freebsd/7S and will install packages built 
earlier in this article (see Listing 41). 

So, the new package is installed, but 
what if we wanted to add a package with 


=== ne TOMlowing -coOnngural von CUrlOne are avalleble fer curl i. loo: 


CNNIRS=Oibit (ckecirewillic ) 


CURL DEBUG—-Oft “(derault) 


GNUTLS=off (default) 


IPV6=on (default) "IPy6 support” 


KERBEROS4=off (default) 


LDAP=off (default) "LDAP support" 


EDAPS=oft (detaulic) 


LIBIDN=off (default) 


LIBSSH2=off (default) 


NTLM=off (default) 
OPENSSL=on (default) 
PROXY=on (default) 
TRACKMEMORY=off (default) 


Listing 35. Changes after running make showconfig 


freebsd/7# make showconfig 


"LDAPS SUDO: 


“Proxy Suppor: 


"ASynehronous DNS resolution vie c—ares” 
"Enaple Curl diagnostic Outpt” 


"Use GNU TES i2f OPENSSL is (OFF 


"Kerberos 4 authentication" 


(Sequines PAP sand soln) 


WMicSicnerceLomali2ac! Demeaslin INEimMaAS wale ILalesa.clin™ 
NSoGr/SrlP Ssuppere vile dibsea2™ 
"“NTLM authentication” 


“OpenSsolk Support” 


"Enable curl memory dlagnostic output” 


"make config' to modify these settings 


=== ne TOllOwing Conngubartion Opbione aresavaiileole fer curl. (loca: 


CARES=off "Asynchronous DNS resolution via c-ares" 


CURE UEBUG-Onr “Enable curl dilagigstle OuRDpUuE. 


GNUTLS=off 
LP¥Vo=on “IPwo Support” 
KERBEROS4=of£ 


LDAP=off "LDAP support" 


LDAPS=off "LDAPS support 


NTLM=off "NTLM authentication" 
OPENSSL=on “OpenSSL support" 


PROCY—oOn "Proxy support” 


"Use GNU TLS: it OPENSSL as, ©FEY 


"Kerberos 4 authentication" 


(Requires LDAP Vand ssc la). 


LIBILDNSot “inicernactionalivecl Demaadin Names waa Ilaloicla 


LUBSsiiz—onm “SCP/SETP Support via TibsshZ” 


TRACKMEMORY=off "Enable curl memory diagnostic output" 


Listing 36. Installing the curl package 


breebDsd | 7 PKG a0e —2 ca (oor nes 


"make config' to modify these settings 


Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/ 


hates /€a (root Mss .to7.... Done, 
freebsd7# pkgdb -vu 


===> Updating the pkadb 


[Updating the pkgdb <format:bdb btree> an /var/db/pkg =... 


(-O +1) . done] 


- 10 packages found 
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Listing 37. Running make for the curl port 


freebsd7# make 

=== e LOUNO SsaveC cOmigura On Een scurl— 7217.6) i 

=> curl—/.19,6.tar.bz2 doesn’: seem to Exist in /usr/ 
ports/distfiles/. 

=> Attempting to fetch from http://curl.haxx.se/ 
download/. 

fetch: transfer timed out 

=> Attempting to fetch from ftp://ftp.sunet.se/pub/www/ 
Hittites; curl). 
Curil= 7. To Gwrarsz, TOOs Of 2292 kB 2336 keBps 
==> extracting ser Curly io. ioe 

=> MDS “Checksum OK for curl—-7..19.6.tar.bz2. 

=> Snazoo Checksum OK for curl—-/2l oo o.bar.bz7. 

===> Cumi=7 1956 1 depends on tile: =/usir local/bin/ 
perild.8.9 = found 

=== PaccChimg £OF curl (29.6 a 

===>. curl-7.19.6 1 depends on file: /usr/local/bin/ 
peri >.8.9 — found 

= ye beeet ol eaketes whan eur ool 

===> curl-7.19.6 1 depends on file: /usr/local/bin/ 
perils .8.9 = found 

===> Curia) 19671 depends on shared ibvary: seh. 
= (Nou. found 

—— Veriiyindg imetall, for sshi2ale am) Ger, pores, 
Security/libssia2 

=> libssh2-1.2.tar.gqz doesn": seem to exist in /usr/ 
ports/distfiles/. 

=> Attempting to fetch from http://www.libssh2.org/ 
download/. 

fetch: transfer timed out 

=> Attempting to fetch from http://redundancy.redundancy 
WOLG/ Il Ons 2 

féten: Nttp:// redundancy. redundancy.corg/mirror/ lipsshz2— 
WeAncar, gas Not found 

=> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/ 
FreeBSD/ports/distfiles/. 

LipsshZ=1 22 rar MOUs Of (S19 KB 2150 kes 
===> Extracting for libssh2-1.2,2 

=> MDS Checksum OK Eor libsseh2-l.2 tar.gz. 

=> SHAZ56 Checksum OK for libssh2-1.2.tar.gz: 

==—>- Patching for lubsshZ—l.2, 2 

===> Coniguring for Ivbssh2-1.2,2 


checking whether to enable maintainer-specific portions 


of Makefiles... no 

checking for sed... /usr/bin/sed 

ehecking E£or a BSl-compatible installs. > /usr/bin/ 
install -—@ =o root =g wheel 

checking whether build environment is sane... yes 


...edited... 
—— Registering installation for libsshz-1.2,.2 
—— Returning —EOeDUuIIG Of curly. logo 


=== COMICUIG, on cur). Loe eel 


checking whether to enable maintainer-specific portions 


of Makefiles... no 
checking whether to enable debug build options... no 
checking whether to enable compiler optimizer... not 


specified (assuming yes) 


checking whether to enable strict compiler warnings... no 
checking whether to enable curl debug memory tracking... no 
checking for sed... /ust/oiny/ sed 

checking for grep... /usr/bin/grep 


checking for egqrep... /usr/bin/grep —-E 


checking for ar... /usr/bin/ar 

checking for 42 BSD-compatibile anstall..../usr/bin/ 
install -—c =o root -¢q wheel 

checking whether build environment is sane... yes 


~, edited... 
Making all in examples 


Malang, “all in tiene: 


Listing 38. Running make install for the curl port 


freebsd7# make install 
sea) stalling 2or-cur to oo a 
===> curl-7.19.6 1 depends on file: /usr/local/share/ 
Ceres, Ca-TroOOE-—-nSs -Cre, =, found 
= cums 2h 6 depends On Sacred Wibnary.) Sone 7 l= kourie 
===> Generating temporary packing list 
===> Checking if ftp/curl already installed 
Malone, dims ad ily aim «ln 
-2eCdiced.. 
===> Regielering anstallerion. for rcuril— 7; ooo 
===> SECURITY REPORT: 

This port has installed the following files which 
may act as network 

servers and may therefore pose a remote security 
risk to the system. 
pucr/ loealy lab lhieciido..5 

If there are vulnerabilities in these programs 
there may be a security 

risk to the system. FreeBSD makes no guarantee 
about the security of 

ports included in the Ports Collection. Please 
type 'make deinstall' 

to deinstall the port 2E this is a concern. 

For more iIntormakbion, and Contact details about 


the security 


status of this software, see the following 
webpage: 
hite:/ (curl haxx.se/ 
freebsd7# pkgdb -vu 
=-=> (Updating the pkgdb 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= I2 packages tound (—0 +2) done] 
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dependencies? For examples like this, we 
could mount the remote system’s /usr/ 
ports/packages directory using NFS, and 
add from there. The remote system here 


is freebsd 7, or 172.16.134.128. | recommend 
making a read-only mount (via -o ro) so 
that the NFS client does not accidentally 
alter the server (see Listing 42). 


Listing 39. Running make package for the curl port 

freebsd7# make package 

——= Pepin pachages £en Curl> joo a 

Creating package /Usr/ports/ packages/All/curl—7 19.6 Nitbz 


Registering Gepends: ca roo sso. 19 7 Vibes 2,2. 
Creacting bzip dd tar Dell im )/usr/ pores) packages, All jcumk= 7.076) li cb! 


Listing 40. Running make package-recursive for the curl port 


freebsd7# make package-recursive 

===> Generating temporary packing list 

Creating package /Usr/ports/packages/All/perl—5.38.9 3.tbz 

Registering depends:. 

REeGistering comilicrs: perl—5.o¢* perl—-5.10.* perl—-chreaded-5.10.~. 
Creacing bzip d- tar ball am "/tser/ports/packages/All/perl—5.38.9 3.tbz” 
Creating package /usr/ports/packages/All/libssh2-1.2,2.tbz 
Registering depends:. 

Creating Zip’ ad tar bali an '/Usr/ ports; packages/All/libssn2—).2,2 7tbz' 
ridirs /WSsr/ ports; security libsshl/work: Directory noe empty 

c** Error code 1 (1gnored) 

===> Generating temporary packing list 

Creating package /usr/ports/packages/All/ca root mes—3.11.9 2. tbz 
Registering depends:. 


Creating bzip ds tar ball im’ /usr, ports, vackages, All/ca Voor mss— 3, ll. 9 2. tz! 


Listing 41. Copying and installing a package from another system 


freebsd7S# uname -a 
FreeBSD freebsd7S.taosecurity.com 7.2-STABLE FreeBSD 7.2-STABLE #2: Sat Aug 
22 Ay ie Ae BZ O09 Poot@rrecbsd/.jlocaldomain>/usr/oby/usr/srce/svs/7 
FREEBSD] “15966 

freebsd/S# mkdir -p /usr/ports/packages/All 

freebsd7S# sftp analyst@172.16.134.128 

Connecting EO LI 2elG.134 1767. 

Password: 

sftp> cd /usr/ports/packages/All 

SHmejo Pelle 

Cav oOt Wes sain eZ 


(tiie lee ae ke log leie loys Intoseii. 125 2 rio 


Berio 26.2855 .bo7 PovravedTE=USS.13 bog 

Salo er ved, POOr rss. 91h: Ie EbZ 

Ferching /USst/ports/ packages, AlV/ca root nss—3, 11.9 2. tbz te ca, root meas= 
Cplby cael ev. 

/uis/ Pores] packages/ Alea root Mes—3511.9) 2.) INO ce IOoke 163. 7hR/s 00:00 
Sie p os cua 

ELeecbsdis7 iG Ladd aca POOr Nss- ol 9 7 eo72 

Pree sdiis7 PCr to ll ree ea eC. 


Ca PoOu os 5.1.9 7 Phe Toor cerrilicate bundle Erem tie Mozilla Projece 
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Curl and its dependencies have now 
been installed over NFS from the freebsd7 
system. This example demonstrates how 
a centralized system (in this case, freebsd7) 
could serve as a local site ports tree and 
package repository, and client systems (like 
freebsd7S) could install packages from the 
local repository. In fact, the clients would not 
have to maintain their own ports trees. 

Lets show how mounting /usr/ports 
from the package repository freebsd/ 
helos the client freebsdS learn what 
packages need updating. First, for this 
particular installation, we know that our 
clients will need the sysutils/cmdwatch utility, 
SO we make a package of it on our package 
builder freebsd7 (see Listing 43). Now we 
tum to the package client, freebsd7S, and 
mount the package builders /usr/ports 
directory (see Listing 44). We can run pkgdb 
-vu on freebsd/7S because it stores the 
package database used by Portupgrade 
IN /var/db/pkg On the local system. 


freebsd7S# pkgdb -vu 

---> Updating the pkgdb 
[Rebuilding the pkgdb <format:bab_ 
btree> in /var/db/pkg ... - 12 packages 


Found (=O $12) 6.66 odd waa RS done | 


Now we run portversion -v to see which 
packages need updating on the client. The 
client uses NFS to compare to the versions 
on the package builder (see Listing 45). 

We see that cmdwatch and screen 
need updating. On the client we invoke 
Portupgrade using the -vape switches (see 
Listing 46). 

We see that Portupgrade did not 
find a screen package on the package 
builder (in /usr/ports/packages/A11), and 
when it failed it tried to find a package 
on a remote FreeBSD server. That failed 
too, because the FreeBSD project does 
not build screen packages. The project 
recommends users’ build their own 
packages for screen. However, the newest 
version of cmdwatch was installed, using 
the package 
cmdwatch-0.2.0 2.tbz. 


/usr/ports/packages/Al1/ 


Installing Screen Using a Remote 
FreeBSD Ports Tree 

What do we do about screen? It turns out 
that we can work around this problem. 


Listing 42. Installing the curl package over NFS 


freebsd/S# mount -t nfs -o ro 172.16.134.128:/usr/ports/ 
packages /usr/ports/packages 

freebsd7S# mount 

jdaev/adisla on / (wis, local) 
devfis on /dev (devfs, local) 

/dev/ad0slf on /home (ufs, local, soft-updates) 
jdew/ad0slo on /tmpe (ais, local, soft-updates) 
/dev/ad0sld on /usr (ufs, local, soft-updates) 
/dev/ad0sle on /var (ufs, local, soft-updates) 
72.06.14. 123: /ust/ ports, peckacges on’ /ust/ports/ 
packages (nfs, read-only) 

freebsd/S# cd /usr/ports/packages/All 

freebsd7S# Is 

Ca voOct Mess oak. 22 ae Sic pinlle Sie oa lane rele yc 
curt] 96.1. bbz POkbaudiE=). 5. 13. tbe 
ube Sin =e 2 siz 

Pusepsdis7 oko edd =v, curl 7419, 6.1 eos 
Requested space: 4525K bytes, free space: 455M bytes in 
[Var tmp/ insti 70 Hoy 
Package “Cuil ao 651 depends on) ibssiZ—1.2,2)" W2en 
"Securrey/ biessh2" (Origin, 
Loading it from /usr/ports/packages/All/libssh2- 
ee 2 eae, 
Reguested space: 711K bytes, free space: 452M bytes in 
/var/tmp/instmp.  6EzFeD 
extract: Package name 1s libssh2-1.2,2 
extEract: CW LO /usr, local 
extract. 9/usr,/ local, imeluadeAlipssh2 sh 

we CCLiLed w5.4 
extract: “/Wsr/ local /man/man3/libsshiz2 version. 3.42 
@xtrack. execute "/sbin/ ldcontig -—m /usr/ local /ilab 
exerci.) CN seo 
Running meres fer libsshz-1.2, 2. 
meres —U ret MrRey BERS od >e =p /usi local >/dev/nuli 
Attempting to record package into /var/db/pkg/libssh2- 
ee ee 

Package libssh2—-l.2,2 registered in /var/db/okg/libsshiz— 
slg Coane es 

Packege. eu oor deepens OM) Cae POCm tise — ilo) 
2 ILE  SCCUEMTY Cal SOO Mss Origin, 

- already installed. 
exEract, Package Mame is curls) 196. i 
extract; <WD “LO -/usry local 


Sxrpacie/ usr, local/many mManl/cmini az 


COLTS a5.5 

extract: /usr/local/share/examples/curl/threaded-ssl.c 
extract, execute "/sbin/ ldcontig —m /usr/local/ilap' 
Sxeracc: CWO 


Rulinine Meres Bor sour i. 1926 le 

miree -U -f£ +MTREE DIRS -d -e -p /usr/local >/dev/null 
Attempting to record package into /var/db/pkg/curl- 
EO Gall 
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Trying to record dependency on package "libssh2=-1.2,2" 
With, “security/libssn2" origin: 

Fryimg eo record dependency “on package ea Toorsias— 
Sai 922) WEE "Security /casroet mss Origin. 

Package curl-7,.19.6 | registered in /var/db/pkq/curl-— 
Oe om 

freebsd7S# cd 

freebsd7S# umount /usr/ports/packages 


Listing 43. Creating the cmdwatch package 


freebsd/7# cd /usr/ports/sysutils/cmdwatch 

freebsd7# make package 
=> cmdwatch-0.2.0.tareqz doesn't: Séem to exist in /usir/ 
POreESs/distiles/ . 
=> Attempting to fetch from http://www.chruetertee.ch/ 
files/download/. 

emdwach=0.2, 0.tar.g2 100% OF 1a ke 66 kBps 
== ee CaCl ii fOr cieweten 0.2.07 
=> MDS Checksum OK for cmdwatch-0.2.0.tar.gz. 
=> SHAZ56 Checksum OK for cmdwatch-0.2.0.tar.qz: 
=—=- Pacehing .ben Clo wawel—0 77.007 
———  fepl ying reeb oD patches fer Cidyvalrci 0272. 02 
=== SP CONN £08 <neayeccni e207 
= suliding Een cidwarci—02Z 02 
Maine cnowat ele GebOpu ne ili PUNCrE Lon s cero pEs 
internal’: 

«+ -Cd1ted . .. 

done. 
=== Sra litte, Sor ciewewcnia 2 20 52 
===> Generating temporary packing list 
===> Checking if sysutils/cmdwatch already installed 
Making cmdwatch... done. 

Installing emdwatch 
===> Compressing Mental pages £or cmdwauen—U0.2.0 2 
===> Registering installation £or vcmiwarci—0. 240.7 
--—_- sBulldimg package £or cidwacen 0-7. eZ 
Creating package /usr/ports/packages/Al1/cmdwatch-0.2.0_ 
epee pa 
Registering depends:. 
Creating bzip'’d tar ball iam "/usr/ports/packages/AlLIl/ 
Smedwaren— Oe A. 0 ation. 

freebsd7# pkgdb -vu 
==—> \Updatang che pkgdb 

[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= I3-packages found (-O0 +1) done] 
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Listing 44. Mounting the package builder using NFS 


freebsd /S¢ mount —f mrs —-o 20 172716134, 12637 usr] pores 
Vuesr/ pores 
freebsd7S# mount 


faevad0sia on -/- (ute, local) 


devfs on /dev (devfs, local) 


/dev/ad0Oslf on /home (ufs, local, soft-updates) 


/dev/ad0slg on /tmp 
/dev/ad0sld on /usr 


(ais, local, Scke-updates) 


(GES; Local, sore Updabes)) 


/dev/ad0sle on /var (ufs, local, soft-updates) 


lj 2.6. S41 282 /ist/ ports on usr / pores (mts, recasonhy) 
Listing 45. Running portversion 
freebsd7S# portversion -v 

Cas POOE Nss>oe1dy OZ =— Up=tO-date WALh port 
enidwa tena. 2.0 at <— Weeds updating (pore has 0.2.0) 2) 
Cun led ao. i = up-to-date with port 
evsup-wi ENOuUE Gul — 6. hn 4 = 
db41-4.1.25 4 = 
Mp seta ie = 


Derk 5.62955 = 


up-to-date with port 
up-to-date with port 
up-to-date with port 
up-to-date with port 
pko cut leéaves—2 009010 = up-to-date with port 
POTtupgrade—2 1426 7372 = up-to-date with port 
Duby tod. oO 4, 1 = up-to-date with port 
ruby e>pdb=0).6. Soi = up-to-date with port 
Sereena 4 Unc) << needs Vedaring (perc fas 4.053 6) 
Listing 46. Running portupgrade 

freebsd7S# portupgrade -vaPP 

---> 


Session Started at: Tue, 25 Aug 2009 14:56:56 -0400 


---> Checking for the latest package of 'sysutils/screen' 


=a. Fetching Unie package ls) £08 “screen—4.0) 236" 
(sysutils/screen) 
Baas WeEC UMM ce reena aU o 20 


++ Will try the following sites in the order named: 
ftp://ftp.FreeBSD.org//pub/FreeBSD/ports/i386/ 

packages-7-stable/ 

aes aes, 

USmiciere 7 

ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-—7-stable/ 


Invoking ascommand:: (/UsSt /bitn/ Peren oc 


tmp/portupgrade69eLJ2VS/screen-4.0.3 6.tbz' 


All/screen-4.0.3 6.tbz' 
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/ 
i386/packages-7-stable/All/screen-4.0.3 6.tbz: File 
unavailable (e.g., file not found, no access) 

“ihe command recurned a non-zero exit Sstrakus: 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 
ports/i386/packages-7-stable/All/screen-4.0.3 6.tbz 
---> i eel 
Unger 7, 


ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-7-stable/ 


invoking a comand: /ust/bin; fetch —o 


tmp/portupgrade69eLJ2VS/screen-4.0.3 6.tgz' 


All/screen-4.0.3 6.tgz' 
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/ 


i386/packages-7-stable/All/screen-4.0.3 6.tgz: File 


unavailable (e.g., file not found, no access) 

** The command returned a non-zero exit status: 1 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 

ports/i386/packages-7-stable/All/screen-4.0.3 6.tgz 

Po atled sito fetches erecn—4 0 53 56 

---> Listing the results (+:done / -:ignored / *:skipped / !:failed) 
Pe SeGeew a Ur. 6 (Pereiwerron ) 


---> Packages processed: 0 done, 0 ignored, O skipped and 

1 failed 

---> Fetching the latest package(s) for 'screen' (sysutils/screen) 

---> Fetching screen 

++ Will try the following sites in the order named: 
ftp://ftp.FreeBSD.org//pub/FreeBSD/ports/i386/ 

packages-7-stable/ 

=-=> Invoking a command: /usr/bin/ fetch -o '/var/tmp/ 

portupgradeKmGTSv48/screen.tbz' 'ftp://ftp.FreeBSD.org/pub/ 

FreeBSD/ports/i386/packages-7-stable/Latest/screen.tbz' 

fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ 

packages-7-stable/Latest/screen.tbz: File unavailable 

(e.9., tile not found, no access) 

xx The Command returned a non-zero Exit Status; 1 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 

ports/i386/packages-7-stable/Latest/screen.tbz 

=---> Invoking a command: /usr/bin/fetch -o '/var/tmp/ 

portupgradeKmGTSv48/screen.tgz' 'ftp://ftp.FreeBSD.org/pub/ 

FreeBSD/ports/i386/packages-7-stable/Latest/screen.tgz' 

fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ 

packages-7-stable/Latest/screen.tgz: File unavailable 

(e.g., file not found, no access) 

~* The command returned a non-zero exit Status: 1 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 

ports/i386/packages-7-stable/Latest/screen.tgz 


** Failed to fetch screen 


---> Listing the results (+:done / -:2onored / *sskipped 
/ \:failed) 
! screen@ (fetch error) 
---> Packages processed: O done, O ignored, O skipped 
and 1 failed 
7 COmldenoremd thie ales vere ron (42065. 6) 
** No package available: sysutils/screen 
===>)" ** Uporade tasks 2: 0 done, 0 aqgnored, 0 skipped 


and 1 failed 
---> Checking for the latest package of 'sysutils/cmdwatch' 
==-> Holmd a package of "sysutils/cmdwatch': /ust/ports/ 
packages/All/cmdwatch-0).2.0.2.tbz (emdwatch—0.2.0) 2) 

---> Upgrade of sysutils/cmdwatch started at: Tue, 25 
Aug, 2009) 142 53201-0406 

a> sUDo Trading chdwarch—Ue7 0; Ito Mendwacch—O. 7 702! 
(sysutils/cmdwatch) using a package 
---> Updating dependency info 

==—> | Ulimstallation ob cidwatch—U 22:0) 1) Started aL: Tue,425 Aug 


2009 14.56: 02-=0400 
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Listing 46. Running portupgrade (cont) 


---> Fixing up dependencies before creating a package 
==-> Backing up the old version 
===> (Uninstalilang che old -ersiaon 
soa De Ine celilimneg » emawaten— Om 05 
[Updating the pkgqdb <format:bdb brréee> in /var/db/pkg ... — 11 packages found 
CaO) Cae a) cones] 
===> SUnImStelilat lon or emdwarchi-Us2. U0) ended arieiue, 25, Aug 2009 14s5e523 
-0400 (consumed 00:00:25) 
sao INSstallatvon son scMdwatch—U 2.07 starved ats ive, 2a Aug 2009 iaeesz6 0400 
---> Installing the new version via the package 
---> Removing temporary files and directories 
---> Removing old package' 
=eo> istallation or sMdnatech—U.7 70 ended ater tue Ae25 Aug 2009 2456731 c— 
0400 (consumed 00:00:02) 
---> Cleaning out obsolete shared libraries 
[Updating Ene pkgdb <format:bdb btree> in /var/dd/pkg «=. — 12 
backages found «(—0 +1) done] 
---> Upgrade of sysutils/cemdwatch ended at: Tue, 25 Aug 2009 14:58:53 -0400 
(consumed 00:00:51) 
=a=> 94% Upgrade tasks 2: icdone, 0 tonored,. 0 Skipped and 1 farled 
=--> Listing the results (+:dome / -:ignored / *:skipped / !:failed) 

! sysutils/screen (screen-4.0.3 5) (package not found) 

+ Sysutils/emdwatch (cmdwatch-—0.2.0° 1) 
---> Packages processed: 1 done, O ignored, O skipped and 1 failed 
===> Session ended at: Tne, 25 Aug 2009 14:59:12 —-0400 (consumed 00:02:16) 
freebsd7S# portversion -v 
Cav LOOENN SSS a ikag a = Up -tO-daue WA2th Dore 
Cmawatch—0 72.012 = up-to-date with port 
Cilmal Sabe eo vi = up-to-date with port 
CvsUp wilt meme guak = Wie alin 4 = 
db4i-4 1.254 = 
pose? =. 22 _ 


[ehovanll eno cl mac ie 6) = 


up-to-date with port 
up-to-date with port 
up-to-date with port 
up-to-date with port 
DRO curleaeves—Z0070 E10 = up-to-date with port 
POrLupgrade 2.4756 3, 2 = up-to-date with port 
tubby. 82). Louisa, = up-to-date with port 
tuby le bodb=06..5 cil = up-to-date with port 
Serecn—a. io. 3 = needs Updaring (pork, leased) 05 76) 

Listing 47. Common package upgrade process 

ence leny Hlhe eRe Qinserl. your re <7) 

2. setenv PACKAGESITE ftp://ftp[X] .freebsd.org//pub/FreeBSD/ports/i386/packages-7- 


stable/Latest/ where [X] is the number of a FreeBSD FTP server near you. 


~ POLEVerSsiOn “=v c=" 


3. portsnap fetch 
4. portsnap update 
ie (Oreo. U 

6. pKkddb = vu 

: 

8 


. Read /usr/ports/UPDATING to see if any special instructions apply to 
packages of interest. 
9. portupgrade -vaPP 


10, porkversion. =v >) a" 
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First, remove the old package using 
any of the methods demonstrated in this 
article. Next, mount the package builders 
ports directory. 


freebsd7S# mount -t nfs -o ro 


L72.,16<134.126?/tsr/ports /usr/ ports 


If /usr/ports Aoesnt exist on the client, 
create it. Now cd to /usr/ports/sysutils/ 
screen and run the following. 

freebsd/S# cd /usr/ports/sysutils/ 
screen 

freebsd7S# make WRKDIRPREFIX=/tmp 
freebsd7S# make install WRKDIRPREFIX=/ 


tmp 


When done, the new version of screen 
will be built, using the remote package 
builders ports tree but by installing source 
code on the local system. 


My Common Package Update 
Process 

So what is the end result of this process? 
For individual systems, | recommend 
the following process. This assumes 
Portupgrade is installed, and that | rely 
on packages produced by the FreeBSD 
project. | also assume that Portaudit is 
running automatically every day already 
(see Listing 47). 


Conclusion 

| hope this article has helped you 
understand the different ways to keep 
FreeBSD applications up-to-date. It is by no 
means comprehensive, but by following it 
you hopefully can judge the different ways 
to keep your applications current. 
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Spam control 


with a stock OpenBSD install 


Girish Venkatachalam 


Ever since e-mails became ubiquitous unwanted e-mails or soam also known as 
UCE(Unsolicited Commercial E-mail) or UBE(Unsolicited Bulk e-mail) also became 


popular. 


-mails today form the backbone of any company no 
matter if it makes space crafts or leather boots. E-mail 
is not just a medium for communication but the most 
important corporate tool. 

Due to many historic accidents and a combination of other 
factors soammers have been finding it really easy to fake e-mail 
sending. They send unsolicited e-mails with so much impunity 
and coordination that nearly every spam protection mechanism 
be it technical, political or regulatory has been smashed to 
smithereens. 

Spammers are smart people and they know what they are 
doing. And their level of motivation is quite high because there 
is money in the business. People do fall for lures to get bigger 
private organs or easy money. Lottery wins, Nigerian widows and 
p0rn May not interest you and me; they actually annoy us but 
Internet still has many naive people who these soammers can 
bait and walk off with their money. 

Spamming is a volume game. They don't care for particular 
users receiving their messages. They really dont care if intelligent 
users delete their mails or use a spam filter As long as their 
profits are higher than their overheads their business model 
works. As | said, they are in the game for the money. 

That being the case any technology solution to fight 
spammers has to hit them where it hurts them the most. We 
have to target their business model. This is easily done. Let me 
explain. 

Spammers hardly spend any money/resources tO send out 
spam. Spammers send bulk commercial e-mail using a huge 
network of coordinated computers working in tandem to send 
out millions of mails. They use open relays and they even create 
bogus BGP routes to send out soam. Unallocated BGP networks 
known as bogons come and go. Spammers come, they send out 
the mails and then they vanish. They operate from some other 


country to avoid detection. Any form of regulation is not going to 
fight them. We have to use technology. And OpenBSD has an 
excellent method to fight such brain damaged individuals. This 
article is about that. 


How OpenBSD fights spam? 

You may be wondering how an open source free operating 
system can be equipped with a spam filter And you may also 
wonder at its effectiveness. It turns out that OpenBSD’s spam 
filtering arsenal is the most powerful spam filtering technique 
on the planet. It is way too powerful compared to anything you 
already know like Spamassassin or any other commercial 
product. It wins hands down in this particular game. 

And most of all it is completely free. All you need is download 
the latest OpenBSD ISO, install it on a PC and set things up. You 
have to run this machine in front of your e-mail server machine 
since OpenBSD spama 8s) does not even allow spam to come in. It 
saves your bandwidth and e-mail storage/archival Costs. 

Moreover this does not require any manual intervention or 
maintenance. No babysitting necessary like Soamassassin and 
certainly no false positives problem in which you lose legitimate 
e-mails. 


It is the ultimate spam filter! 

But what it does is not really spam filtering. It performs spam 
control by not even letting spam in. Soammers get an error 
message and they cannot survive our tests since that costs 
them resources and money. And their business model does not 
allow that. 

OpenBSD does tarpitting or teergrubing in such a fashion 
that legitimate mail senders don’t feel anything but it hits the 
spammer. And it hits him real hard. Ultimately you as a user win 
without losing anything. 
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And you end up losing a lot when 
you use a content scanning spam filter 
like Spamassassin. Spamassassin 
slows your e-mails since it does content 
scanning and you lose important e-mail. 
It also requires heavy maintenance and 
it wastes mail server storage space and 
your network bandwidth. It deletes soam 
mails after receiving them and people 
have to manually pass false positives or 
get rid of real soam. 

Whereas OpenBSD works in 
a completely different manner. It relies on 
traffic shaping at the TCP layer to achieve 
spam control. 

Here is a diagrammatic representation 
of how OpenBSD does spam filtering see 
Figure 1. 

There are three UNIX daemons of 
interest here. is the master 
daemon that runs a fake SMTP daemon at 
port 8025. Run this command as root on 
an OpenBSD machine. 


spamd (8) 


# /usr/libexec/spamd 
After that try this command. 
> nce -y localhost 8025 


You will find how OpenBSD spamd 
implements the tarpit mechanism to hurt 
spammers. 

Here onwards we are going to get 
really technical. Please be warned that 
this section is meant for people who are 
very familiar with the OpenBSD OS. People 


OpenBSD - the daemon workhorses : 


[ )] 
Update /var/db/spamd database 


Track blacklisted IPs 


Implement tarpit by 
delaying response(stuttering) 


[ )] 


Keep track of blacklisted IP netblocks 
that send out spam right now. 

Updated every hour. Talks to spamd(8) 
using the spam-cfg local UDP socket 
interface. It is a simple line by line text 
protocol 


[ ] 


Keep looping over pcap_loop() 
on interface /dev/pflog0 log 
interface for mail attempts 
for whitelisting 


OpenBSF-spam-daemons 


with a thorough grounding on OpenBSD’s 
internals and firewall software pf (4) will 
benefit the most from the rest of the article. 
However you can read through and pick 
up the gaps in your understanding once 
you gain more familiarity with this fantastic 
operating system. 

spamlogd(8) IS A libpcap (3) infinite 
loop that reads the pflogO virtual network 
interface to check for connections to the 
mail server. This daemon is important 
since without this, legitimate mails will not 
get through. 

And the spamd-setup (8) daemon checks 
for the worldwide blacklists of soam senders. 
This daemon talks to the spama(s) daemon 
using a simple line by line text protocol on 
local soamd-cfg UDP port. 

You need this /etc/pf.cone file since it 
is OpenBSD’s excellent firewall pf(4) that 
does all the networking magic for us. pf (4) 
tables are a very powerful concept for 
blacklisting IP addresses that misbehave 
in many ways. Spam control is not very 
different from other forms of misbehavior 
like launching ssh bruteforce attacks or 
denial of service attacks on us. 

p£(4) tables allow us to add hosts 
and IP addresses dynamically based on 
matching rules and you can check against 
this list for future packets from those hosts 
and act in a different manner. 

Let me illustrate the above concept 
with an example. 

Let us say you have ssh bruteforce 
attacks coming from an IP address 
1.3.4.45. You can identify this in a pf (4) 


www.bsdmag.org 
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rule and you can add this IP to the table 
called <badhosts> with this rule. 


pass inet proto tcp from any to port 
Stcp services \ 
(max-srce-conn 100, max-src-conn-rate 
15/7 oy 
overload <bathosts> flush 


global) 


And now all you have to do is plonk this 
line: 


block quick trom <badhosra> 


towards the beginning of your p£(4) 
rules. You also need to declare this table 
beforehand. 

Now getting back to spam control. This 
is the firewall rule file /etc/pf.cont that you 
need for soam control (see Listing 1). 

For those of you who know p.£(4) 
already, this file should not be cryptic 
at all. But for others | shall do a bit of 
explaining. Most lines are very clear and 
self explanatory. | shall only touch upon the 
important ones. The line: 


rdr pass log on Sext if proto tcp from 
<white> to ($ext if) port smtp \ 


-> <mailserver> round-robin 


does a destination NAT or TCP connection 
forwarding to the table 
declared above. The keyword round- 
robin States that if there are n hosts in the 
<mailserver> table like this: 


<mailserver> 


table <mailserver> const { 1.2.3.5 , 


Leeete Oy Leeecal } 


then, the rdr rule will redirect the first SMTP 
connection to 1.2.3.5, the second to 1.2.3.6 
and the 4th back to 1.2.3.5. The other line 
of interest is this one: 


pass in log on Sext_ if inet proto tcp 


to <mailserver> port smtp 


This line logs the SMTP connections the 
real mailserver that could be running 
MS Exchange or sendmail or Postfix or 
whatever. 

This is done because without the pilogo 
virtual interface seeing the successful 
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SMTP connections, real mails will never 
get through as the well behaved IP 
addresses will not get a chance to get 
noticed by spamd. 

This job is done by spamioga(s) deamon 
IN G pcap capture live() loop. The actual 
whitelisting is performed by spama(s) but 
spamlogda(8) notices the packets on the log 
interface. | know my English is bit cryptic but 
| hope you get the idea. 

And you will also know in a minute that 
this requires this sysctl setting. 


# sysctl net.inet.ip.forwarding = 1 


You will also notice that this firewall contig 
ensures that mails are forwarded to 3 
mailservers 1.2.3.5, 1.2.3.6 and 1.2.3.7 one 
after another in a round robin fashion. 

This is useful when you have three MX 
records like this (see Listing 2). 

The other thing you could do is failover 
between two OpenBSD boxes by doing 
CARP failover between them. 

The thing about CARP is that it is a patent 
unencumbered version of the Cisco VRRP 
protocol(virtual router redundancy protocol) 
and it works with any service you wish to 
offer with a 100% uptime guarantee. CARP 
relies on the IP protocol 112. (Do a grep of 
CARP with /etc/protocols) 

CARP works remarkably well in an 
environment where you have colocated 
web servers or mail servers or just about 
any service you offer on top of IP It could 
even be a UDP service. CARP is utterly 
painless and its real simplicity sometimes 
can be quite dumbfounding since it does 
q lot of work behind the scenes. 

This does not get you TCP connection 
handover but this is pretty close to what 
you can get with minimal investment on 
hardware and software. 

Just run the commands on machine 
A and machine B. On machine A, assume 
the network interface is vico. 


# ifconfig carpO 192.168.1.100 carpdev 
vicO vhid 1 


On machine B, assume network interface 
IS £xp0. 


#ifconfig carpO 192.168.1.100 carpdev 
£xpO0 vwhaid 1 
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Now all you have to do is use the virtual 
IP 192.168.1.100 of the carp virtual 
interface and you have a load balanced 
spam filter that can give you 100% 
uptime and it does load sharing with 3 
mail servers and it also does not allow 
spam to enter your network thus saving 
you bandwidth. 

The most interesting thing above alll 
that is that it is 100% free of cost. The 
source code is free, you can do whatever 
you want with it and still | wonder why 
nobody is using this method to fight soam 
instead of Soamassassin. 


Do you know? 

| have an idea why the world has not yet 
woken up to this technology. People do 
not know the value of open source and 
this has got to do with the thinking that 
anything available for free of cost and with 
no strings attached must be automatically 
bad. 

Unfortunately we live in a world where 
Open source dominates technological 
innovation especially in the UNIX world. 

OpenBSD attracts very smart minds 
to its folder and its transparent developer 
culture and no nonsense aititude has 
consistently brought about some of the 
best technologies in firewalling, advanced 
networking techniques and of course e- 
mail soam control. 

Crypto is just in passing. OpenBSD 
has been having the best IPSec suite for 
many years now. And there are many 
other facilities too. But security is built 
into the randomness in malloc allocation, 
DNS query id allocation, TCP sequence 
numbers..in virtually anything and 
everything in OpenBSD. 

Last but not the least, OpenSSH is 
a byproduct of this great OS! 
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Choosing and installing 
a Window Manager with FreeBSD 


Rob Somerville 


One of the many attractive features of BSD is that the end-user is not tied to 


a particular desktop or windowing environment. 


hile it is possible to run different shells with 

other major operating systems, BSD, Linux and 

Unix are different in that a separate layer (Xorg 

— the X Windows system) sits between the kernel 
and the GUI environment. Once Xorg is configured correctly, 
it is relatively trivial to install a Window Manager (WM) - or 
indeed multiple WM’s — if you so choose. At last count at 
freshports.org there were over 60 WM’s available for BSD 
(Table 1), so choice is only limited by your processor and 
aesthetics. 


Set-up and support 

Traditionally, setting up X Windows could be very tricky, 
often due to closed source video drivers or odd monitor 
configurations. While there are rogue video cards out there 


“ll 


Figure 1. X up and running 


that are not natively Supported, most cards these days can be 
persuaded to run in VESA mode. In the authors experience, 
more modern Cathode Ray Tube (CRT) and Liquid Crystal 
Displays (LCD) screens will work straight out of the box with 
Xorg 7x especially as it now has a fail-safe / auto-config 
mode. The only difficulty that may arise is with wide-screen 
configurations or laptops, often these have proprietary 
hardware or obscure settings that need to be taken into 
consideration if optimal settings are desired. 

As it is possible to overdrive and consequently damage 
your video hardware, it is always good practice to check 
that your kit is supported beforehand and confirm optimal 
resolution, refresh rates, mode line settings etc. especially if 
you are unsure as to the specification. Modern hardware can 
probably cope better than older kit, but the wrong setting in 
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Choosing and installing a Window Manager with FreeBSD 


Window Managers available for BSD 


Currently maintained Window Manager ports [Screenshots in bold] 


Currently maintained Window Manager ports [Screenshots in bold] 


Aewm 1.2.7.3 ICCCM-compliant window manager based 
on 9wm 


A simple window manager for X 


amaterus 0.34.15 A GTK+ window manager 
suipserne 242 Aaa Ay comigrated ghasetion SS een 
framework window manager oroborus 2.0.18. 1 A small and simple GNOME-compatible 
window manager 


blackbox 0.70.1. 2 Asmall and fast window manager for X11R6 


phluid 0.0.3. 10 A window manager that emphasizes efficiency, 
speed, and beauty 


manager 


echinus 0.3.9 A dynamic window manager for X11 based X11 
enlightenment 0.16.999.042_ Avery artistic X window manager sapphire 0.15.8_1 Small window manager 
4,2 ‘sawfish 5222 Lisp configurable window manager 


X11 
fluxbox 1.1.1.1 A small and fast window manager based on swm 1.3.4_4 Window manager for low-memory systems 


fywm? 2.4.20. 2 Popular virtual window manager for X like features 
an weewm 0.0.2 2,1 Fast and ultra light windowmanager with total 
golem 0.0.5 2 Small window manager with themes and keyboard control 


windowmaker 0.92.0 8 GNUstep-compliant NeXTstep window 
manager clone 


3 3.d An improved dynamic tiling window manager 


Se wg 0.18.0_7 Small GTK-based GNOME-compliant window 


ion 20020207 _2 A window manager with a text-editorish, manager 


larswm 7.5.3 2 Tiling Window Manager for X xfce 3.8.18_10 CDE like desktop with GTK 
matchbox 1.2 Window manager suitable for low-resolution xmonad 0.9.1 Xmonad is a minimalist and tiling window 
screens manager for X 
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the monitor section of xorg.conf could 
potentially be problematic. 


Desktop Environment versus 
Window Manager 

With the plethora of choice available [1], 
it is possible to install anything from an 
extreme lightweight such as Ratposion (a 
mouse-less WM) to a full blown Desktop 


© qsecofcr: csh 


Environment (DE) such as Gnome or KDE. 
A low specification PC will perform better 
with a WM rather than a DE. 

Security and functionality are prime 
considerations and a DE will require 
a lot of additional library support which 
will not only add to the install time but 
potentially may add vulnerabilities. While 
most WM’s are bare bones and highly 
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customisable via their configuration 
files, a DE will come pre-configured with 
lots of additional goodies (such as file 
managers, printer monitoring utilities 
etc.) so if anything other than basic 
functionality is required, a DE may be the 
best choice. 

While it is not best practice to install 
a GUI in a server environment, occasionally 
the need may arise (e.g. to run Virtualbox 
to install a virtual machine O/S from bare 
metal) a lightweight WM with few bells and 
whistles is useful. Xorg provides TWM as 
the default WM, and this is sufficient for 
most purposes. 

User interface aesthetics are important 
as well —- some prefer the minimalist 
approach of Blackbox to the slower but 
more visually stimulating Afterstep or 
Enlightenment. 

For this article, all software was tested 
in a virtual machine running FreeBSD 8.0 
and Xorg 74. 


The major players 


The heavyweights 

These are the full blown’ desktop 
environments complete with their own 
suite of applications, libraries and utilities. 
It is probably best to install these from the 
installation DVD via sysinstall due to major 
package dependencies. 

Both these DE’s support a wide range 
of applications, (and apart from having to 
install some additional libraries) they will 
often support each other applications 
as well. For a humorous analysis of the 
pro’s and con's of these DE’s see the final 
smackdown at linuxmag.com [2]. 


Gnome (see Figure 2) — Traditional 
desktop with drop-down menus and 
the Nautilus file manager. More slim- 
line than KDE, it is the basis for the 
OpenSolaris desktop. With additional 
utilities can be themed to look very 
Mac like. The standard for Redhat 
Linux. 

KDE (see Figure 3) — Out of the box 
has a more contemporary styling than 
Gnome and is the default desktop 
for SUSE Linux Enterprise. Strong 
Support for educational games and 
applications. 
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The middleweights 


AfterStep (see Figure 4) - Based on 
the Bowman NeXTstep TM clone, this 
WM has plenty of eye-candy. 
Enlightenment (see Figure 5) - A 
beautifully crafted WM _ still heavily 
under development. 


The lightweights 


Window Maker (Figure 6) - Rep- 
roduces the elegant look and feel of 
the NEXTSTEP TM user interface. 
Blackbox (Figure 7) — A minimalist 
desktop but as a result has a very 
small footprint. 

TWM - The default WM supplied with 
Xorg. 


Getting Xorg 

up and running 

Xorg needs to be installed either from 
the FreeBSD DVD or using pkg_aaa (Table 
2). lf you are running FreeBSD 74 or 
greater, DBUS and HALD are required. If 
required, ensure the moused daemon is 
operational and add the following lines to 
/etc/rce.conf AS NECESSAMTY. 


moused enable="YES” 
dbus snable="YES® 
hald e@nablée="YES” 


Manually start the mousEp, DBUS, HALD 
services or reboot: As a unprivileged user, 
start the X server: 


Xinit 


lf all is well, Xorg should start, your mouse 
should work and you will see a bare- 
bones X session up and running as shown 
in Figure 1. 

Switch to a console you ran xinit with 
and press [ctrl-c] to terminate (ctri-alt- 
backspace is disabled in later version of 
Xorg). If your mouse or display doesn't 
come up, you will need to generate, 
test and modify the configuration as 
appropriate. 

As root, run: 


Xorg -configure 


Xorg -config /root/xorg.conf.new -retro 


You should now see _ the_ traditional 
hatched background and mouse cursor. 
Copy xorg.conf.new file intO /etc/x11/ 
xorg.conf if you are successful, otherwise 
refer to the handbook at freebsd.org for 
more detail on how to proceed. 


Installing your DE or WM 

Gnome and KDE are supplied as packages 
on the FreeBSD 8.0 DVD and this was the 
preferred method of installation to save 
bandwidth. All other WM's were installed as 
packages using the following invocation : 
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¢ Wikipedia — Comparison of X Window System desktop environments — http.// 
en.wikipedia.org/wiki/Comparison_of_X_Window_System_desktop_environments [1] 

¢ Gnome V KDE -— The Final Smackdown — http://www. linux-mag.com/id/7 296 [2] 

¢ OpenSolaris — OpenSolaris Desktop http:/hub.opensolaris. org/bin/view/Project+jds/ [3] 


¢ There is no maintainer for this port — N/A 


Table 2. xXxxxXXXXXX 


Installation and xinit commands 


Application / 


Window Manager 


Gnome 


Window Maker 


Afterstep 


x 


pkg_add -r command 


Ndiigahie ar ciligilieice (Gronnieiare, 


Installed via DVD using sysutils /usr/local/bin/gnome-session 
/usr/local/bin/gnome-session 


windowmaker /usr/local/bin/wmaker 
exec /usr/local/bin/wmaker 


afterstep /usr/local/bin/afterstep 
exec /usr/local/bin/afterstep 


Welcome to Firefox - Mozilla Firefox 


File Edit View History Bookmarks Tools Help 


fe ® | http v/en-us.www.mozilla.comyen-USfirefox/3.5.4/firstrun/ ¥ IS pater a 


€¢>-80 


Watch This 


become part of 
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f Need Help? ; Time to Get Personal 


a 
Firefox 3.5 is the first ; Our Support site has™\ ~# There are thousands of 
browser to support | plenty of answers, totally free ways to 
open video formats, plus a live chat customize your Firefox to 
allowing movies to - feature to guide you fit exactly what you like to 


through any tricky do online. 


today’s dynamic web pages without requiring a spots. 


supporters of open vi 


plug-in. Go ahead - give it a try. ® Explore 
® Visit Firefox Add-ons 
A This video brought to you by Dailymotion, proud Support 
eo, 


Be the difference! Learn how you can help Mozilla better our communities during Mozilla Service Week. 


“> 11:50 PM 
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Figure 7. Blackbox 
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pkg_add -r packagename 


where packagename refers to the WM 
in question. The only exception was 
Enlightenment, at time of writing this WM 
had to be installed via the ports tree as the 
package appeared broken (Table 2). 


cd /usr/ports/x1l-wm/enlightenment 
make 


make install 


Testing the Window Manager 
To initially test, the WM can be run via xinit 
e.g. for the Gnome desktop environment: 


xinit /usr/local/bin/gnome-session 
See Table 2 for further details. 


Creating the .xinitrc file 

To facilitate starting the WM using the 
startx command, the .xinitrc file in the 
users home directory is created: 


echo “exec /usr/local/bin/blackbox” > 
~/.xinitre 


See table 2 for further examples. 


Login Manager 

The login manager presents the user with 
a GUI immediately after the system boots. 
Depending on the level of sophistication 
of the login manager (e.g. Wdm), the user 
can select what WM to run at login if 
multiple WM’s are installed. 

If you require a _ graphical login 
manager, gdm is installed as part of 
Gnome package and can be started at 
boot by adding the following to rc.conf: 


gdm: enable="YES” 


For other login managers, please refer to 
the relevant man pages. 


BSDCan, a BSD conference held in Ottawa, Canada, has quickly 
established itself as the technical conference for people working 
on and with 4.4BSD based operating systems and related projects. 
The organizers have found a fantastic formula that appeals to a 
wide range of people from extreme novices to advanced developers. 


BSDCan 2010 will be held on 13-14 May 2010 at University of 
Ottawa, and will be preceded by two days of Tutorials on 11-12 May 
2010. 


There will be related events (of a social nature, for the most part) 


on the day before and after the conference. 


http://bsdcan.org/ 


BSDCan 2010 Wie 


@ interview... 


BSD Live 
Desktops 


Jesse Smith 


The BSD family has long held a well deserved reputation for being superb server 
operating systems. However, OS X aside, it's it's not very often we hear about BSD on 
the desktop. That's too bad, because many of the things which make BSD a perfect 
solution in the server room are also great characteristics to have in a desktop system. 
When | hear “BSD” | think of stability, soeed, grace under heavy work loads and 

a practical immunity to most viruses. Who wouldn't want those traits in their desktop? 
It's that sort of thinking which has lead to projects such as PC-BSD (http://pcbsd.org), 
which took FreeBSD and placed a desktop layer over it. And FreeBSD isn't the 

only member of the family being dressed up and displayed to the masses. Recently 
NetBSD and OpenBSD have also been getting friendly new looks via the Jibbed (http: 
//www.jibbed.org) and GNOBSD (http://gnobsd.sri-dev.de) projects respectively. Both 
projects take the basic system and add a user-friendly desktop on a live disc. This 
makes exploring OpenBSD and NetBSD an easier task for people who might not 
otherwise test drive these powerful operating systems. Last week Zafer Aydogan, 
founder of Jibbed, and Stefan Rinkes, founder of GNOBSD, agreed to talk about their 
projects, themselves and BSD. 
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BSD Mag: To start, could you 
please tell us a little about 
yourself. Where you are from and 
how you got started with BSD? 
SR: I’m 23 years old and live in Kirchheim, 
near Munich in Germany. | had my first 
experiences with OpenBSD during my 
apprenticeship as an IT specialist about 
two years ago. 

ZA: I'm living in Kiel, Germany, where 
| was also born, but aS you can see 
from my name I’m Turkish. | was raised 
bilingual. 

| got in touch with FreeBSD in 1999 
and moved to NetBSD in 2000. I’ve never 
used OpenBSD. In my day job, | work as 
a software engineer in a small company. 


BSD Mag: Why did you decide to 
start your project? 

ZA: NetBSD does not create a live CD 
during the release process, therefore there 
are no Official live CDs. The ones available 
are outdated. | thought there would be 
a demand for NetBSD live CDs that are 
up to date, giving, especially, non-NetBSD 
users the opportunity to get in touch with 
the OS without installing it. 

One of the characteristics of NetBSD 
is their friendly and knowledgeable 
community. Building and customizing the 
live CD was not too difficult, since there 
was already a script for building live CDs 
in pkgsrc. | just built a framework around it, 
to keep it simple and to be able to release 
regularly. 

SR: I’m one of those leaming-by-doing 
guys, So GNOBSD was the perfect way to 
learn more about OpenBSD, the installer, 
programming (shell and Ruby) and how 
to design GUIs. GNOBSD was a learning- 
project and | learned a lot. 

| also thought it would help some 
people to try OpenBSD and to test to see 
if all of their hardware is detected and 
working properly. 


BSD Mag: What sort of feedback 
have your received on the 
project? Have people offered 
suggestions, bug reports, feature 
requests, assistance? 

SR: The feedback | received was more 
positive than negative. Some people even 
offered to set up a mirror for GNOBSD. I'm 


looking forward to getting more e-mails 
with feedback. 

ZA: | have received mostly positive 
feedback. People are happy if they can 
run NetBSD on their hardware. Negative 
feedback comes from users that either 
expect something different or are unable 
to run the CD. I’m trying to implement 
suggestions, where possible and useful. 


BSD Mag: OpenBSD and NetBSD 
are known for their security and 
flexibility on servers, do you 
think they also make for good 
desktop systems? 

ZA: Definitely NetBSD has made 
remarkable progress in being a desktop 
system. It still needs some effort and 
patience during setup, but it is possible to 
have a decent desktop system including 
Flash, being able to run Java applications 
and Cisco VPNs to your company 
network. 

SR: Of course. | think it is important to 
use a secure OS as a desktop system. 
You can use OpenBSD for a secured 
office workstation, it has all you need. With 
a stability which is hard to find elsewhere. 


BSD Mag: GNOBSD and Jibbed 
are great ways to experiment 
with OpenBSD and NetBSD. Will 
there be future releases of these 
projects? Are there any new 
features planned? 

SR: There is the idea to provide code, 
scripts and documentation, so_ that 
everyone can build his/her own version 
of GNOBSD. As easy as GNOBSD, but 
customized to individual needs. 

ZA: 'm currently preparing Jibbed- 
5.0.2, which will be released as soon as 
NetBSD-5.0.2 has been announced. The 
most significant change on the CD will 
be the switch to modular Xorg, which is 
more up to date and can provide support 
for more graphics cards than Xorg in the 
base system. I’ve also added a couple 
of new applications. The release after 
that will be 5.1. I’m experimenting with 
Gnome as a new window manager 
and I'm also preparing a memory-stick- 
version of Jibbed. The benefits of having 
writeable media makes it a_ portable 
NetBSD system on_ stick. Additionally, 


www.bsdmag.org 
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| have recently started to code a graphical 
installer using GTK2. It was bugging me for 
a long time, not having one. Depending on 
my spare time, you can expect a working 
version in the next 12 months. 


BSD Mag: Are you currently 
working on any other projects? 
SR: Just some _ small _ stuff, like 
microcontroller programming and porting 
some stuff to OpenBSD. And I’m currently 
studying for a successful conclusion of my 
apprenticeship. I’m sure there will be some 
new projects when the exams are over. 

ZA: No, ’m not. But, | would like to 
thank all mirrors, who are generously 
providing huge 

amounts of bandwidth every month 
and of course all NetBSD developers for 
making one of the best operating systems 
in the world. 


BSD Magazine would like to thank 
Herr Rinkes and Herr Aydogan for taking 
the time to talk about their projects. Your 
author has had a chance to play with 
both systems and they do indeed provide 
a easy way to explore a BSD system, 
lowering the bar for new adoption. The 
BSD community will no doubt benefit from 
their work. 


Sd 


About the author 


Jesse Smith is a system administrator and 
programmer by training, an open source 
advocate by choice and a writer at heart. 
When he's not working with computers, 
he loves spending time with his family and 
enjoying the natural beauty of his native 
Canada. 
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@ let’s talk 


BSD Goes to the Office: 


Can BSD compete in a real 


life consulting 


Mike Bybee 
Consultant, Fujitsu America 


workplace? 


There are many articles that expound on the success of Linux as desktop, and quite 
a few accounts of using a Linux desktop in this case or that case. 


here are fewer articles regarding a BSD based system 

as a desktop, largely due to its status as solid back office 

system. BSD quietly powers a great deal of devices in 

its many variations and incarmations, from firewalls and 
mail servers to routers and switches. Running BSD as a desktop 
is still relatively rare, and it is a far less publicized desktop than 
its distant cousin, Linux. What fame it has relates mostly to the 
common base it shares with Darwin, the base for Apple’s popular 
OSX system. 

| undertook an experiment with the support of my employers 
to determine the viability of a BSD desktop in a real world 
high pressure consulting engagement. The life of a consultant 
requires absolute attention to the requirements of a client, so 
there can be no compromises made on their side to allow for 
any incompatibilities or shortcomings. This differs from the 
usual article of this type by providing a systems administration 
and consulting perspective instead of a journalist or home user 
perspective. 

For this experiment | chose to use Sun Virtual Box to run a PC- 
BSD 8 Release Candidate guest operating system. Sun Virtual 
Box was chosen largely due to the ease of use and support for 
a wide variety of guest and host operating systems. PC-BSD 8 
was chosen as it provides an excellent end-user experience with 
a minimum of steps, and is based on the new FreeBSD 8. The 
hardware I’m running this on is an older Fujitsu LifeBook E8110 
with 1GB of RAM. The primary OS is the venerable Windows XP 
still the darling of the corporate world. The performance is poor 
but tolerable, and there is typically noticeable swapping during 
regular usage. 

Here you can see my standard corporate desktop, and 
inset the new guest OS that will soon supplant it. From the task 
manager, you can see that it produces a very minimal load on 
the host system. 


The first step was to install Sun Virtual Box 3.12 on 
Windows XP. The installation was quick and straightforward. 
| then created a guest system, choosing FreeBSD as the guest 
OS. | set the memory to a mere 400MB, enabled acceleration, 
and created a 20 GB virtual disk based on dynamic allocation. 
| then inserted a PC-BSD 8 install DVD and started the guest 
OS. 

PC-BSD has an attractive graphical installer, which provided 
a good guide for the installation process. | chose to manually 
set up the partitions, and enabled whole disk encryption for / 
usr (based on GELI). There was no prompt to allow me to set 
up a manual password for this disk, but this was easy enough 
to configure later. | chose to install all of the default packages, 
including Firefox, Open Office, VLC, Pidgin and more, and then 
let it run. 

The install ran for about 30 minutes without presenting 
too much of an issue for my standard tasks. At this point, 
my machine was swapping a bit as 1GB of RAM is not really 
enough even for standard Windows XP to run comfortably. 
There was some lag on the desktop, but it was really only 
noticeable in Outlook. 

After a reboot of the guest machine, | was confronted with 
a minor bug in the install process; the system was attempting 
to mount /usr with an invalid label. This has been fixed in 
the installer code and shouldn't cause any further issues. 
| rebooted once the error was corrected and it proceeded 
into a graphical screen where | could choose my X driver and 
resolution. As of this writing, the native Virtual Box drivers are 
not included, so | had to set it initially to VESA. The KDE 4.3.4 
desktop popped up, fully populated with the apps | had chosen, 
and response was surprisingly good. | installed the Virtual Box 
drivers from /usr/ports/emulators/virtualbox-ose-additions, 
Set vboxguest_enable="YES” IN /etc/rc.coné. Restarting without 
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X running, and then executing Xorg - 
configure handled the rest of the display 
setup. 

Once the Virtual Box drivers were 
turned on it was very smooth, attractive, 
and seamless. | was even able to 
enable the KDE compositing effects 
via XRender while still getting decent 
responsiveness from the GUI. At this 
point, | was ready to begin configuring 
the new desktop. 

The Xmarks_ utility provided quick 
and painless synchronization of my 
bookmarks and_ (optionally) stored 
passwords from my primary desktop 
to my PC-BSD desktop. | immediately 
switched off my desktop browser in 
favor of the guest and was impressed 
that nearly every site | routinely access 
worked fine. 

The client | am at makes great use 
of Microsoft SharePoint for collaboration 
and document storage, and it doesn't 
integrate with Firefox as tightly as 
with Internet Explorer. All the same, 
| was just prompted for my Active 
Directory password and d_ handler 
app for the various files. Open Office 
responded quickly and smoothly, and 
the experience of opening, reading, 
and editing documents on Share Point 
was acceptable. Open Office even 
handled password-protected documents 
properly. 

The next major hurdle was handling 
remote Microsoft Windows _ servers. 
Many clients use Windows servers and 
they typically need to be accessed via 
Remote Desktop. The PC-BSD Software 
Manager (conveniently accessible via 
a desktop or menu shortcut) provided 
me quick access to the PBI repository 
at http://pbidircom as well as integrating 
the installation and version management 


Can BSD compete in a real life consulting workplace? 


Unix hosts with SCP SSH, and various 
X11-based utilities. Under Windows this 
is accomplished with a variety of tools 
— PulTY, WinSCP. and of course an X11 
client are all commonly used. PulTY 
is available as a PBI in the event you 
need it, but in my experience | found it 
was faster and easier to use the native 
tools under all circumstances. Likewise 


scripting and editing files is easy via Vim 
or Kate, with Emacs available as a PBI 
package. 

Instant Messenger functionality is 
crucial in a modern distributed workplace, 
and some corporations have a specific 
list of approved instant messenger clients. 
Normally | would use Pidgin and a plug-in 
such as SIPE if needed. Since WINE does 
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features. | was able to find and download 
the PBI package for Remote Desktop 
quickly and install it without any fuss 


© Storage 
IDE Controller 
IDE Primary Master: 
IDE Secondary Master (CD/DVD): 


FreeBSD 8 RC. vdi (formas 20.00 GB) 
Empty 


whatsoever. Testing showed that it ep dean 
oppy Device 0: Empty 
worked quite well accessing remote imine 


Windows DirectSound 
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Host Driver: 
Controller: 


Windows hosts, and this was another 
feature that | could transition off my 
primary desktop. 

The native tools performed well for 
the Unix management tasks. A great 
deal of my time is spent administering 


GP Network 


Adapter 1: Intel PRO/1000 MT Desktop (NAT) 


Figure 2. Sun Virtual Box settings 


o7 


www.bsdmag.org 


let’s talk 


not yet provide good support for this app 
and we were prohibited from using any 
other client, | fell back to using the web- 
enabled version. 

Many tasks involve managing large 
enterprise databases such as Oracle. 


PC3SD 


Personal Computing, served up BSD style! 


Disk setup 


The OEM Grid Control tools functioned 
without issue, and it is even possible to 
install Oracle Express Edition for Linux 
via the built in Linux Compatibility layer 
under BSD, though | didn’t have the time 
to complete that for this test. Management 
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Figure 4. Remote Desktop under PC-BSD 8 
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¢ — http://www. virtualbox.org/ 

¢ = http://wiki.freebsd.org/VirtualBox 

¢ http://sipe.sourceforge.net/ 

¢ — http://www.pcbsd.org/ 

¢ http://www. chiark.greenend.org.uk/ 
~sgtatham/putty/ 

¢ — htto://pbidir.com/ 

¢ — http:/www.xmarks.com/ 

¢ http://en.wikipedia.org/wiki/Geli_ 
%28software%29 

¢ http://www.freebsd.org/doc/handbook/ 
disks-encrypting.html 


of DB2 was also easy. | did run into some 
road bumps managing Microsoft SOL 
servers. The easiest method for managing 
SOL servers was simply to log in via 
Remote Desktop. 

My take away from this experience 
is that BSD is now capable of being 
used in ad_ professional consulting 
environment, and provides the same 
levels of Supportability and security 
that we expect from our servers in an 
extremely inexpensive package. PC-BSD 
8 performed better than | had hoped, 
especially when running on _ so Mittle 
memory. It is telling that a guest OS 
running in only 400 MB of RAM was able 
to outperform a bare metal host OS with 
full access to the entire 1 GB. Sun Virtual 
Box also ran very well, and did a great 
job running a guest OS without impacting 
the host excessively. Running in LiveUSB 
mode with full access to the host, PC- 
BSD gave my laptop a new lease on life. 
As a replacement OS it would probably 
extend the service life of this laptop by an 
additional year or two, and with a lower 
operating cost. 
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